[asterisk-commits] mjordan: branch 1.8 r362485 - in /branches/1.8: addons/ apps/ channels/ main/...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Apr 18 21:08:50 CDT 2012
Author: mjordan
Date: Wed Apr 18 21:08:44 2012
New Revision: 362485
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=362485
Log:
Fix a variety of potential buffer overflows
* chan_mobile: Fixed an overrun where the cind_state buffer (an integer array
of size 16) would be overrun due to improper bounds checking. At worst, the
buffer can be overrun by a total of 48 bytes (assuming 4-byte integers),
which would still leave it within the allocated memory of struct hfp. This
would corrupt other elements in that struct but not necessarily cause any
further issues.
* app_sms: The array imsg is of size 250, while the array (ud) that the data
is copied into is of size 160. If the size of the inbound message is
greater then 160, up to 90 bytes could be overrun in ud. This would corrupt
the user data header (array udh) adjacent to ud.
* chan_unistim: A number of invalid memmoves are corrected. These would move
data (which may or may not be valid) into the ends of these buffers.
* asterisk: ast_console_toggle_loglevel does not check that the console log
level being set is less then or equal to the allowed log levels of 32.
* frame: In ast_codec_pref_prepend, if any occurrence of the specified codec
is not found, the value used to index into the array pref->order would be
one greater then the maximum size of the array.
* jitterbuf: If the element being placed into the jitter buffer lands in the
last available slot in the jitter history buffer, the insertion sort attempts
to move the last entry in the buffer into one slot past the maximum length
of the buffer. Note that this occurred for both the min and max jitter
history buffers.
* tdd: If a read from fsk_serial returns a character that is greater then 32,
an attempt to read past one of the statically defined arrays containing the
values that character maps to would occur.
* localtime: struct ast_time and tm are not the same size - ast_time is larger,
although it contains the elements of tm within it in the same layout. Hence,
when using memcpy to copy the contents of tm into ast_time, the size of tm
should be used, as opposed to the size of ast_time.
* extconf: this treats ast_timing's minmask array as if it had a length of 48,
when it has defined the size of the array as 24. pbx.h defines minmask as
having a size of 48.
(issue ASTERISK-19688)
Reported by: Matt Jordan
Modified:
branches/1.8/addons/chan_mobile.c
branches/1.8/apps/app_sms.c
branches/1.8/channels/chan_unistim.c
branches/1.8/main/asterisk.c
branches/1.8/main/frame.c
branches/1.8/main/jitterbuf.c
branches/1.8/main/stdtime/localtime.c
branches/1.8/main/tdd.c
branches/1.8/utils/extconf.c
Modified: branches/1.8/addons/chan_mobile.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/addons/chan_mobile.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/addons/chan_mobile.c (original)
+++ branches/1.8/addons/chan_mobile.c Wed Apr 18 21:08:44 2012
@@ -2123,7 +2123,7 @@
return HFP_CIND_NONE;
}
- if (i >= sizeof(hfp->cind_state)) {
+ if (i >= ARRAY_LEN(hfp->cind_state)) {
ast_debug(2, "[%s] CIEV event index too high (%s)\n", hfp->owner->id, buf);
return HFP_CIND_NONE;
}
@@ -2605,7 +2605,7 @@
int value;
/* store the current indicator */
- if (group >= sizeof(hfp->cind_state)) {
+ if (group >= ARRAY_LEN(hfp->cind_state)) {
ast_debug(1, "ignoring CIND state '%s' for group %d, we only support up to %d indicators\n", indicator, group, (int) sizeof(hfp->cind_state));
return -1;
}
Modified: branches/1.8/apps/app_sms.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/apps/app_sms.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/apps/app_sms.c (original)
+++ branches/1.8/apps/app_sms.c Wed Apr 18 21:08:44 2012
@@ -1269,8 +1269,8 @@
switch (msg) {
case 0x13: /* Body */
ast_verb(3, "SMS-P2 Body#%02X=[%.*s]\n", msg, msgsz, &h->imsg[f]);
- if (msgsz >= sizeof(h->imsg)) {
- msgsz = sizeof(h->imsg) - 1;
+ if (msgsz >= sizeof(h->ud)) {
+ msgsz = sizeof(h->ud) - 1;
}
for (i = 0; i < msgsz; i++) {
h->ud[i] = h->imsg[f + i];
Modified: branches/1.8/channels/chan_unistim.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/channels/chan_unistim.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/channels/chan_unistim.c (original)
+++ branches/1.8/channels/chan_unistim.c Wed Apr 18 21:08:44 2012
@@ -3216,7 +3216,7 @@
if (!ast_strlen_zero(pte->device->call_forward)) {
/* Cancel call forwarding */
memmove(pte->device->call_forward + 1, pte->device->call_forward,
- sizeof(pte->device->call_forward));
+ sizeof(pte->device->call_forward) - 1);
pte->device->call_forward[0] = '\0';
Sendicon(TEXT_LINE0, FAV_ICON_NONE, pte);
pte->device->output = OUTPUT_HANDSET; /* Seems to be reseted somewhere */
@@ -5005,7 +5005,7 @@
ast_log(LOG_WARNING, "Invalid position %d for bookmark : already used\n:", p);
return 0;
}
- memmove(line, line + 2, sizeof(line));
+ memmove(line, line + 2, sizeof(line) - 2);
} else {
/* No position specified, looking for a free slot */
for (p = 0; p <= 5; p++) {
Modified: branches/1.8/main/asterisk.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/asterisk.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/main/asterisk.c (original)
+++ branches/1.8/main/asterisk.c Wed Apr 18 21:08:44 2012
@@ -1097,6 +1097,11 @@
void ast_console_toggle_loglevel(int fd, int level, int state)
{
int x;
+
+ if (level >= NUMLOGLEVELS) {
+ level = NUMLOGLEVELS - 1;
+ }
+
for (x = 0;x < AST_MAX_CONNECTS; x++) {
if (fd == consoles[x].fd) {
/*
Modified: branches/1.8/main/frame.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/frame.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/main/frame.c (original)
+++ branches/1.8/main/frame.c Wed Apr 18 21:08:44 2012
@@ -1128,6 +1128,11 @@
break;
}
+ /* If we failed to find any occurrence, set to the end */
+ if (x == sizeof(format_t) * 8) {
+ --x;
+ }
+
if (only_if_existing && !pref->order[x])
return;
Modified: branches/1.8/main/jitterbuf.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/jitterbuf.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/main/jitterbuf.c (original)
+++ branches/1.8/main/jitterbuf.c Wed Apr 18 21:08:44 2012
@@ -242,7 +242,9 @@
/* found where it fits */
if (toins > jb->hist_maxbuf[j]) {
/* move over */
- memmove(jb->hist_maxbuf + j + 1, jb->hist_maxbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_maxbuf[0]));
+ if (j != JB_HISTORY_MAXBUF_SZ - 1) {
+ memmove(jb->hist_maxbuf + j + 1, jb->hist_maxbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_maxbuf[0]));
+ }
/* insert */
jb->hist_maxbuf[j] = toins;
@@ -259,7 +261,9 @@
/* found where it fits */
if (toins < jb->hist_minbuf[j]) {
/* move over */
- memmove(jb->hist_minbuf + j + 1, jb->hist_minbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_minbuf[0]));
+ if (j != JB_HISTORY_MAXBUF_SZ - 1) {
+ memmove(jb->hist_minbuf + j + 1, jb->hist_minbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_minbuf[0]));
+ }
/* insert */
jb->hist_minbuf[j] = toins;
Modified: branches/1.8/main/stdtime/localtime.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/stdtime/localtime.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/main/stdtime/localtime.c (original)
+++ branches/1.8/main/stdtime/localtime.c Wed Apr 18 21:08:44 2012
@@ -2339,7 +2339,11 @@
prevlocale = ast_setlocale(locale);
res = strptime(s, format, &tm2);
ast_setlocale(prevlocale);
- memcpy(tm, &tm2, sizeof(*tm));
+ /* ast_time and tm are not the same size - tm is a subset of
+ * ast_time. Hence, the size of tm needs to be used for the
+ * memcpy
+ */
+ memcpy(tm, &tm2, sizeof(tm2));
tm->tm_usec = 0;
/* strptime(3) doesn't set .tm_isdst correctly, so to force ast_mktime(3)
* to deal with it correctly, we set it to -1. */
Modified: branches/1.8/main/tdd.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/main/tdd.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/main/tdd.c (original)
+++ branches/1.8/main/tdd.c Wed Apr 18 21:08:44 2012
@@ -69,19 +69,21 @@
'5','\"',')','2','=','6','0','1',
'9','?','+','^','.','/',';','^' };
int d = 0; /* return 0 if not decodeable */
- switch (data) {
- case 0x1f:
- tdd->modo = 0;
- break;
- case 0x1b:
- tdd->modo = 1;
- break;
- default:
- if (tdd->modo == 0)
- d = ltrs[data];
- else
- d = figs[data];
- break;
+ if (data < 32) {
+ switch (data) {
+ case 0x1f:
+ tdd->modo = 0;
+ break;
+ case 0x1b:
+ tdd->modo = 1;
+ break;
+ default:
+ if (tdd->modo == 0)
+ d = ltrs[data];
+ else
+ d = figs[data];
+ break;
+ }
}
return d;
}
Modified: branches/1.8/utils/extconf.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.8/utils/extconf.c?view=diff&rev=362485&r1=362484&r2=362485
==============================================================================
--- branches/1.8/utils/extconf.c (original)
+++ branches/1.8/utils/extconf.c Wed Apr 18 21:08:44 2012
@@ -2910,7 +2910,7 @@
unsigned int monthmask; /*!< Mask for month */
unsigned int daymask; /*!< Mask for date */
unsigned int dowmask; /*!< Mask for day of week (mon-sun) */
- unsigned int minmask[24]; /*!< Mask for minute */
+ unsigned int minmask[48]; /*!< Mask for minute */
char *timezone; /*!< NULL, or zoneinfo style timezone */
};
/* end of pbx.h */
More information about the asterisk-commits
mailing list