[Asterisk-code-review] app voicemail: Fix stack overrun in append mailbox (asterisk[13])

George Joseph asteriskteam at digium.com
Fri Sep 21 14:35:55 CDT 2018 

George Joseph has uploaded this change for review. ( https://gerrit.asterisk.org/10235


Change subject: app_voicemail:  Fix stack overrun in append_mailbox
......................................................................

app_voicemail:  Fix stack overrun in append_mailbox

The append_mailbox function wasn't calculating the correct length
to pass to ast_alloca and it wasn't handling the case where context
might be empty.

Found by the Address Sanitizer.

Change-Id: I7eb51c7bd18a7a8dbdba261462a95cc69e84f161
---
M apps/app_voicemail.c
1 file changed, 7 insertions(+), 4 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/35/10235/1

diff --git a/apps/app_voicemail.c b/apps/app_voicemail.c
index f2b6c97..7b43ea0 100644
--- a/apps/app_voicemail.c
+++ b/apps/app_voicemail.c
@@ -12288,6 +12288,7 @@
 	char *mailbox_full;
 	int new = 0, old = 0, urgent = 0;
 	char secretfn[PATH_MAX] = "";
+	size_t len;
 
 	tmp = ast_strdupa(data);
 
@@ -12324,10 +12325,12 @@
 		read_password_from_file(secretfn, vmu->password, sizeof(vmu->password));
 	}
 
-	mailbox_full = ast_alloca(strlen(box) + strlen(context) + 1);
-	strcpy(mailbox_full, box);
-	strcat(mailbox_full, "@");
-	strcat(mailbox_full, context);
+	len = sizeof(box) + sizeof(context) + sizeof('@') + 1;
+	mailbox_full = ast_alloca(len);
+	snprintf(mailbox_full, len, "%s%s%s",
+		box,
+		ast_strlen_zero(context) ? "" : "@",
+		context);
 
 	inboxcount2(mailbox_full, &urgent, &new, &old);
 #ifdef IMAP_STORAGE

-- 
To view, visit https://gerrit.asterisk.org/10235
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7eb51c7bd18a7a8dbdba261462a95cc69e84f161
Gerrit-Change-Number: 10235
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180921/3bf9605d/attachment-0001.html>

More information about the asterisk-code-review mailing list