[asterisk-bugs] [JIRA] (ASTERISK-26896) Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT

Richard Mudgett (JIRA) noreply at issues.asterisk.org
Fri Mar 24 16:37:09 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236128#comment-236128 ] 

Richard Mudgett commented on ASTERISK-26896:
--------------------------------------------

You have to wait for the license agreement to be accepted before you can attach the patch.  When it is accepted you need to reattach the patch.  You could also put the patch up on gerrit [1] after the license is accepted.

[1] https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage

> Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
> ------------------------------------------------------------------------
>
>                 Key: ASTERISK-26896
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26896
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: CEL/cel_pgsql
>    Affects Versions: 11.25.1, 13.15.0
>            Reporter: twisted
>         Attachments: cel_pgsql.patch, cel_pgsql.patch
>
>
> If you have more than 513 characters being passed as arguments into a CEL log request (such as the dial app with a large array of devices), the module attempts to pass the char* pointer along with a buffer that is only allocated 513 bytes.  PQEscapeStringConn() expects an appropriately sized buffer, and thus overflows our buffer, causing a SIGABRT when glibc detects the stack smash has occurred.
> I have a patch that will resize our escape buffer if our value passed exceeds the initial 513 bytes.
> The data used in this instance was to Dial.
> {code}Dial(SIP/2643&SIP/2393&SIP/2647&SIP/2997&SIP/2451Polycom&SIP/2400Polycom&SIP/2672&SIP/2366Polycom&SIP/2374&SIP/2405&SIP/2379&SIP/2338&SIP/2455&SIP/2355&SIP/2733&SIP/2531&SIP/2649&SIP/2365&SIP/2404&SIP/2447&SIP/2446&SIP/2541&SIP/2602Polycom&SIP/2387Polycom&SIP/2677&SIP/2735&SIP/2272&SIP/2526Polycom&SIP/2659&SIP/2514&SIP/2737Polycom&SIP/2675Polycom&SIP/2747&SIP/2293&SIP/2407&SIP/2553&SIP/2553Polycom&SIP/2566&SIP/2648&SIP/2422&SIP/2739&SIP/2758&SIP/2692&SIP/2537Polycom&SIP/2605&SIP/2413&SIP/2563&SIP/2204Polycom&SIP/2410Polycom&SIP/2289&SIP/2369&SIP/2445Polycom&SIP/2170Polycom&SIP/2420Polycom&SIP/2421Polycom&SIP/2391&SIP/2758Polycom&SIP/2700&SIP/2217&SIP/2454&SIP/2506,25,t){code}
> Resulting in an ABRT with **stack smashing detected** pointing at cel_pgsql.c.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list