[asterisk-commits] mmichelson: branch 1.6.0 r108582 - in /branches/1.6.0: ./ main/manager.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Mar 13 16:31:45 CDT 2008 

Author: mmichelson
Date: Thu Mar 13 16:31:44 2008
New Revision: 108582

URL: http://svn.digium.com/view/asterisk?view=rev&rev=108582
Log:
Merged revisions 108529 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

........
r108529 | mmichelson | 2008-03-13 15:59:00 -0500 (Thu, 13 Mar 2008) | 11 lines

Fixing a potential buffer overflow in the manager command ModuleCheck.

Though this overflow is exploitable remotely, we are NOT issuing a security
advisory for this since in order to exploit the overflow, the attacker would
have to establish an authenticated manager session AND have the system privilege.
By gaining this privilege, the attacker already has more powerful weapons at his
disposal than overflowing a buffer with a malformed manager header, so the vulnerability
in this case really lies with the authentication method that allowed the attacker to 
gain the system privilege in the first place.


........

Modified:
    branches/1.6.0/   (props changed)
    branches/1.6.0/main/manager.c

Propchange: branches/1.6.0/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.

Modified: branches/1.6.0/main/manager.c
URL: http://svn.digium.com/view/asterisk/branches/1.6.0/main/manager.c?view=diff&rev=108582&r1=108581&r2=108582
==============================================================================
--- branches/1.6.0/main/manager.c (original)
+++ branches/1.6.0/main/manager.c Thu Mar 13 16:31:44 2008
@@ -2565,14 +2565,14 @@
 	} else {
 		cut = filename + strlen(filename);
 	}
-	sprintf(cut, ".so");
+	snprintf(cut, sizeof(filename) - cut - 1, ".so");
 	ast_log(LOG_DEBUG, "**** ModuleCheck .so file %s\n", filename);
 	res = ast_module_check(filename);
 	if (!res) {
 		astman_send_error(s, m, "Module not loaded");
 		return 0;
 	}
-	sprintf(cut, ".c");
+	snprintf(cut, sizeof(filename) - cut - 1, ".c");
 	ast_log(LOG_DEBUG, "**** ModuleCheck .c file %s\n", filename);
 	version = ast_file_version_find(filename);

More information about the asterisk-commits mailing list