[asterisk-bugs] [JIRA] (ASTERISK-28570) Potential infinite loop in function find_matching_priority

Mon Oct 7 08:55:47 CDT 2019

Yoooooo Ha created ASTERISK-28570:
-------------------------------------

             Summary: Potential infinite loop in function find_matching_priority
                 Key: ASTERISK-28570
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28570
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Applications/app_while
    Affects Versions: 16.6.0
         Environment: No
            Reporter: Yoooooo Ha

Summary: Potential infinite loop in function find_matching_priority.

####################################
static struct ast_exten *find_matching_priority(struct ast_context *c, 
const char *exten, int priority, const char *callerid)
{
         struct ast_exten *e;
         struct ast_context *c2;
         int idx;

         for (e=ast_walk_context_extensions(c, NULL); e; 
e=ast_walk_context_extensions(c, e)) {
                 if (ast_extension_match(ast_get_extension_name(e), 
exten)) {
                         int needmatch = ast_get_extension_matchcid(e);
                         if ((needmatch && 
ast_extension_match(ast_get_extension_cidmatch(e), callerid)) ||
                                 (!needmatch)) {
                                 /* This is the matching extension we 
want */
                                 struct ast_exten *p;
                                 for (p=ast_walk_extension_priorities(e, 
NULL); p; p=ast_walk_extension_priorities(e, p)) {
                                         if (priority != 
ast_get_extension_priority(p))
                                                 continue;
                                         return p;
                                 }
                         }
                 }
         }

         /* No match; run through includes */
         for (idx = 0; idx < ast_context_includes_count(c); idx++) {
                 const struct ast_include *i = 
ast_context_includes_get(c, idx);

                 for (c2=ast_walk_contexts(NULL); c2; 
c2=ast_walk_contexts(c2)) {
                         if (!strcmp(ast_get_context_name(c2), 
ast_get_include_name(i))) {
                                 e = find_matching_priority(c2, exten, 
priority, callerid);
                                 if (e)
                                         return e;
                         }
                 }
         }
         return NULL;
}
####################################

Function find_matching_priority is a recursive function, and it is 
called by function find_matching_endwhile.
There is possibility that an infinite loop occurs.
The vulnerability is same as the one fixed in 
https://gerrit.asterisk.org/c/asterisk/+/8931 
(https://issues.asterisk.org/jira/browse/ASTERISK-26570)

--
This message was sent by Atlassian JIRA
(v6.2#6252)