[asterisk-bugs] [JIRA] (ASTERISK-30103) chan_ooh323 Vulnerability in calling/called party IE

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Dec 1 11:57:51 CST 2022


    [ https://issues.asterisk.org/jira/browse/ASTERISK-30103?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=260784#comment-260784 ] 

Friendly Automation commented on ASTERISK-30103:
------------------------------------------------

Change 19615 merged by Benjamin Keith Ford:
ooh323c: not checking for IE minimum length

[https://gerrit.asterisk.org/c/asterisk/+/19615|https://gerrit.asterisk.org/c/asterisk/+/19615]

> chan_ooh323 Vulnerability in calling/called party IE
> ----------------------------------------------------
>
>                 Key: ASTERISK-30103
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-30103
>             Project: Asterisk
>          Issue Type: Security
>      Security Level: None
>          Components: Addons/chan_ooh323
>    Affects Versions: 18.10.0
>            Reporter: Michael Bradeen
>            Assignee: Michael Bradeen
>            Severity: Blocker
>              Labels: security
>
> When using a called or calling party number with a length of 0 (malformed) it is possible to cause a buffer under-run when parsing.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list