[asterisk-bugs] [JIRA] (ASTERISK-26896) Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Mon May 22 15:47:26 CDT 2017 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-26896?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Harwell updated ASTERISK-26896:
-------------------------------------

    Target Release Version/s: 14.5.0

> Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT
> ------------------------------------------------------------------------
>
>                 Key: ASTERISK-26896
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26896
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: CEL/cel_pgsql
>    Affects Versions: 11.25.1, 13.15.0
>            Reporter: twisted
>      Target Release: 13.16.0, 14.5.0
>
>
> If you have more than 513 characters being passed as arguments into a CEL log request (such as the dial app with a large array of devices), the module attempts to pass the char* pointer along with a buffer that is only allocated 513 bytes.  PQEscapeStringConn() expects an appropriately sized buffer, and thus overflows our buffer, causing a SIGABRT when glibc detects the stack smash has occurred.
> I have a patch that will resize our escape buffer if our value passed exceeds the initial 513 bytes.
> The data used in this instance was to Dial.
> {code}Dial(SIP/2643&SIP/2393&SIP/2647&SIP/2997&SIP/2451Polycom&SIP/2400Polycom&SIP/2672&SIP/2366Polycom&SIP/2374&SIP/2405&SIP/2379&SIP/2338&SIP/2455&SIP/2355&SIP/2733&SIP/2531&SIP/2649&SIP/2365&SIP/2404&SIP/2447&SIP/2446&SIP/2541&SIP/2602Polycom&SIP/2387Polycom&SIP/2677&SIP/2735&SIP/2272&SIP/2526Polycom&SIP/2659&SIP/2514&SIP/2737Polycom&SIP/2675Polycom&SIP/2747&SIP/2293&SIP/2407&SIP/2553&SIP/2553Polycom&SIP/2566&SIP/2648&SIP/2422&SIP/2739&SIP/2758&SIP/2692&SIP/2537Polycom&SIP/2605&SIP/2413&SIP/2563&SIP/2204Polycom&SIP/2410Polycom&SIP/2289&SIP/2369&SIP/2445Polycom&SIP/2170Polycom&SIP/2420Polycom&SIP/2421Polycom&SIP/2391&SIP/2758Polycom&SIP/2700&SIP/2217&SIP/2454&SIP/2506,25,t){code}
> Resulting in an ABRT with **stack smashing detected** pointing at cel_pgsql.c.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list