[Asterisk-code-review] app voicemail: Fix stack overrun in append mailbox (asterisk[16.0])
George Joseph
asteriskteam at digium.com
Mon Sep 24 13:50:08 CDT 2018
George Joseph has submitted this change and it was merged. ( https://gerrit.asterisk.org/10238 )
Change subject: app_voicemail: Fix stack overrun in append_mailbox
......................................................................
app_voicemail: Fix stack overrun in append_mailbox
The append_mailbox function wasn't calculating the correct length
to pass to ast_alloca and it wasn't handling the case where context
might be empty.
Found by the Address Sanitizer.
Change-Id: I7eb51c7bd18a7a8dbdba261462a95cc69e84f161
---
M apps/app_voicemail.c
1 file changed, 12 insertions(+), 7 deletions(-)
Approvals:
Richard Mudgett: Looks good to me, but someone else must approve
Kevin Harwell: Looks good to me, but someone else must approve
George Joseph: Looks good to me, approved; Approved for Submit
diff --git a/apps/app_voicemail.c b/apps/app_voicemail.c
index c6e501c..b900c5a 100644
--- a/apps/app_voicemail.c
+++ b/apps/app_voicemail.c
@@ -810,11 +810,16 @@
unsigned char iobuf[BASEMAXINLINE];
};
+#define MAX_VM_MBOX_ID_LEN (AST_MAX_EXTENSION)
+#define MAX_VM_CONTEXT_LEN (AST_MAX_CONTEXT)
+/* MAX_VM_MAILBOX_LEN allows enough room for the '@' and NULL terminator */
+#define MAX_VM_MAILBOX_LEN (MAX_VM_MBOX_ID_LEN + MAX_VM_CONTEXT_LEN)
+
/*! Structure for linked list of users
* Use ast_vm_user_destroy() to free one of these structures. */
struct ast_vm_user {
- char context[AST_MAX_CONTEXT]; /*!< Voicemail context */
- char mailbox[AST_MAX_EXTENSION]; /*!< Mailbox id, unique within vm context */
+ char context[MAX_VM_CONTEXT_LEN];/*!< Voicemail context */
+ char mailbox[MAX_VM_MBOX_ID_LEN];/*!< Mailbox id, unique within vm context */
char password[80]; /*!< Secret pin code, numbers only */
char fullname[80]; /*!< Full name, for directory app */
char *email; /*!< E-mail address */
@@ -12357,7 +12362,7 @@
char *stringp;
char *s;
struct ast_vm_user *vmu;
- char *mailbox_full;
+ char mailbox_full[MAX_VM_MAILBOX_LEN];
int new = 0, old = 0, urgent = 0;
char secretfn[PATH_MAX] = "";
@@ -12396,10 +12401,10 @@
read_password_from_file(secretfn, vmu->password, sizeof(vmu->password));
}
- mailbox_full = ast_alloca(strlen(box) + strlen(context) + 1);
- strcpy(mailbox_full, box);
- strcat(mailbox_full, "@");
- strcat(mailbox_full, context);
+ snprintf(mailbox_full, MAX_VM_MAILBOX_LEN, "%s%s%s",
+ box,
+ ast_strlen_zero(context) ? "" : "@",
+ context);
inboxcount2(mailbox_full, &urgent, &new, &old);
#ifdef IMAP_STORAGE
--
To view, visit https://gerrit.asterisk.org/10238
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 16.0
Gerrit-MessageType: merged
Gerrit-Change-Id: I7eb51c7bd18a7a8dbdba261462a95cc69e84f161
Gerrit-Change-Number: 10238
Gerrit-PatchSet: 3
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Jenkins2 (1000185)
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20180924/ff0b0fe7/attachment.html>
More information about the asterisk-code-review
mailing list