[asterisk-commits] mjordan: trunk r363105 - in /trunk: ./ channels/chan_skinny.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Mon Apr 23 08:53:28 CDT 2012


Author: mjordan
Date: Mon Apr 23 08:53:24 2012
New Revision: 363105

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=363105
Log:
AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling

When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue.  When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue.  The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun.  This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.

(closes issue ASTERISK-19592)
Reported by: Russell Bryant
........

Merged revisions 363100 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........

Merged revisions 363102 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 363103 from http://svn.asterisk.org/svn/asterisk/branches/10

Modified:
    trunk/   (props changed)
    trunk/channels/chan_skinny.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-10-merged' - no diff available.

Modified: trunk/channels/chan_skinny.c
URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_skinny.c?view=diff&rev=363105&r1=363104&r2=363105
==============================================================================
--- trunk/channels/chan_skinny.c (original)
+++ trunk/channels/chan_skinny.c Mon Apr 23 08:53:24 2012
@@ -6643,7 +6643,8 @@
 	int res = 0;
 	struct skinny_speeddial *sd;
 	struct skinny_device *d = s->device;
-	
+	size_t len;
+
 	if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
 		ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
 		ast_free(req);
@@ -6712,8 +6713,13 @@
 				ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
 			}
 
-			sub->exten[strlen(sub->exten)] = dgt;
-			sub->exten[strlen(sub->exten)+1] = '\0';
+			len = strlen(sub->exten);
+			if (len < sizeof(sub->exten) - 1) {
+				sub->exten[len] = dgt;
+				sub->exten[len + 1] = '\0';
+			} else {
+				ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+			}
 		} else
 			res = handle_keypad_button_message(req, s);
 		}




More information about the asterisk-commits mailing list