[asterisk-bugs] [JIRA] (ASTERISK-26896) Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Thu Mar 30 05:15:10 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-26896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236200#comment-236200 ]
Friendly Automation commented on ASTERISK-26896:
------------------------------------------------
Change 5357 merged by Joshua Colp:
cel_pgsql.c: Fix buffer overflow calling libpq
[https://gerrit.asterisk.org/5357|https://gerrit.asterisk.org/5357]
> Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
> ------------------------------------------------------------------------
>
> Key: ASTERISK-26896
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26896
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: CEL/cel_pgsql
> Affects Versions: 11.25.1, 13.15.0
> Reporter: twisted
>
> If you have more than 513 characters being passed as arguments into a CEL log request (such as the dial app with a large array of devices), the module attempts to pass the char* pointer along with a buffer that is only allocated 513 bytes. PQEscapeStringConn() expects an appropriately sized buffer, and thus overflows our buffer, causing a SIGABRT when glibc detects the stack smash has occurred.
> I have a patch that will resize our escape buffer if our value passed exceeds the initial 513 bytes.
> The data used in this instance was to Dial.
> {code}Dial(SIP/2643&SIP/2393&SIP/2647&SIP/2997&SIP/2451Polycom&SIP/2400Polycom&SIP/2672&SIP/2366Polycom&SIP/2374&SIP/2405&SIP/2379&SIP/2338&SIP/2455&SIP/2355&SIP/2733&SIP/2531&SIP/2649&SIP/2365&SIP/2404&SIP/2447&SIP/2446&SIP/2541&SIP/2602Polycom&SIP/2387Polycom&SIP/2677&SIP/2735&SIP/2272&SIP/2526Polycom&SIP/2659&SIP/2514&SIP/2737Polycom&SIP/2675Polycom&SIP/2747&SIP/2293&SIP/2407&SIP/2553&SIP/2553Polycom&SIP/2566&SIP/2648&SIP/2422&SIP/2739&SIP/2758&SIP/2692&SIP/2537Polycom&SIP/2605&SIP/2413&SIP/2563&SIP/2204Polycom&SIP/2410Polycom&SIP/2289&SIP/2369&SIP/2445Polycom&SIP/2170Polycom&SIP/2420Polycom&SIP/2421Polycom&SIP/2391&SIP/2758Polycom&SIP/2700&SIP/2217&SIP/2454&SIP/2506,25,t){code}
> Resulting in an ABRT with **stack smashing detected** pointing at cel_pgsql.c.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list