[asterisk-bugs] [JIRA] (ASTERISK-28454) res_fax.c UTF-8 validation for remotestationid and pbx_builtin_setvar_helper

Wed Jun 19 16:21:47 CDT 2019

Jodi Jones created ASTERISK-28454:
-------------------------------------

             Summary: res_fax.c UTF-8 validation for remotestationid and pbx_builtin_setvar_helper
                 Key: ASTERISK-28454
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28454
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Resources/res_fax
    Affects Versions: 16.4.0
         Environment: Linux
            Reporter: Jodi Jones

A UTF-8 validation needs to be added to https://github.com/asterisk/asterisk/blob/master/res/res_fax.c#L1450, invalid utf-8 causes a segfault via json 

IE

```
# 0: /usr/sbin/asterisk(ast_json_pack+0x94) [0x4f77f4]
# 1: /usr/sbin/asterisk(ast_channel_publish_varset+0x2b) [0x57dd2b]
# 2: /usr/sbin/asterisk(pbx_builtin_setvar_helper+0x123) [0x533f13]
# 3: /usr/lib/asterisk/modules/res_fax.so(+0x3de2) [0x7fdfe67a2de2]
# 4: /usr/lib/asterisk/modules/res_fax.so(+0x95a7) [0x7fdfe67a85a7]
# 5: /usr/lib/asterisk/modules/res_fax.so(+0x10df5) [0x7fdfe67afdf5]
# 6: /usr/sbin/asterisk(pbx_exec+0xb9) [0x52ad09]
# 7: /usr/sbin/asterisk() [0x51e6d5]
# 8: /usr/sbin/asterisk() [0x520744]
# 9: /usr/sbin/asterisk() [0x521ccb]
#10: /usr/sbin/asterisk() [0x59e179]
#11: /lib64/libpthread.so.0(+0x7dd5) [0x7fe037454dd5]
#12: /lib64/libc.so.6(clone+0x6d) [0x7fe0364f4ead]

[Jun 10 17:08:51] ERROR[12545][C-00000002] stasis_channels.c: Error creating message
[Jun 10 17:08:51] ERROR[12545][C-00000002] json.c: Error building JSON from '{s: s, s: s, s: s, s: s, s: s, s: s, s: o}': Invalid UTF-8 string.
[Jun 10 17:08:51] ERROR[12545][C-00000002] : Got 10 backtrace records
# 0: /usr/sbin/asterisk(ast_json_pack+0x94) [0x4f77f4]
# 1: /usr/lib/asterisk/modules/res_fax.so(+0x50c8) [0x7fdfe67a40c8]
# 2: /usr/lib/asterisk/modules/res_fax.so(+0x10e4a) [0x7fdfe67afe4a]
# 3: /usr/sbin/asterisk(pbx_exec+0xb9) [0x52ad09]
# 4: /usr/sbin/asterisk() [0x51e6d5]
# 5: /usr/sbin/asterisk() [0x520744]
# 6: /usr/sbin/asterisk() [0x521ccb]
# 7: /usr/sbin/asterisk() [0x59e179]
# 8: /lib64/libpthread.so.0(+0x7dd5) [0x7fe037454dd5]
# 9: /lib64/libc.so.6(clone+0x6d) [0x7fe0364f4ead]
```

Here is the character in question from the FAXOPT
```
[Jun 10 17:08:51] VERBOSE[12545][C-00000002] pbx.c: Executing [h at fax-rx:9] NoOp("SIP/VIBE-XC5-XS1-00000001", "FAXOPT(remotestationid) : ▒▒▒▒ ") in new stack
```

Validated segfault goes away by  not referencing `details->remotestationid` and using a static string in the function `set_channel_variables` of res_fax.c.

Band-aid solution for our production environment (i understand this is not a proper fix)

```
        //pbx_builtin_setvar_helper(chan, "REMOTESTATIONID", S_OR(details->remotestationid, NULL));
        pbx_builtin_setvar_helper(chan, "REMOTESTATIONID", S_OR("utf8_bypass", NULL));
```

We were getting several segfaults an hour when receiving fax's with dodgy remote station id's... we haven't had a single segfault since applying this work around.

--
This message was sent by Atlassian JIRA
(v6.2#6252)