[asterisk-commits] mjordan: branch 1.4 r359615 - /branches/1.4/apps/app_milliwatt.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Thu Mar 15 13:20:52 CDT 2012
Author: mjordan
Date: Thu Mar 15 13:20:49 2012
New Revision: 359615
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=359615
Log:
Fix remotely exploitable stack overrun in Milliwatt
Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option. This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer. For channels using a format with
a sample rate less than 32kHz, the buffer overrun should not be possible as
the buffer allocated is sufficient to hold the data, even with no bounds
checking. For formats with a sample rate greater then 32kHz however, the
fixed length buffer will be overrun.
This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed. Note that at no
point is remote code execution possible. The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.
(issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
Note that this patch was written by Russell, even though Matt uploaded it
Modified:
branches/1.4/apps/app_milliwatt.c
Modified: branches/1.4/apps/app_milliwatt.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.4/apps/app_milliwatt.c?view=diff&rev=359615&r1=359614&r2=359615
==============================================================================
--- branches/1.4/apps/app_milliwatt.c (original)
+++ branches/1.4/apps/app_milliwatt.c Thu Mar 15 13:20:49 2012
@@ -77,7 +77,7 @@
static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples)
{
unsigned char buf[AST_FRIENDLY_OFFSET + 640];
- const int maxsamples = sizeof (buf) / sizeof (buf[0]);
+ const int maxsamples = (sizeof (buf) / sizeof (buf[0])) - (AST_FRIENDLY_OFFSET / sizeof(buf[0]));
int i, *indexp = (int *) data;
struct ast_frame wf = {
.frametype = AST_FRAME_VOICE,
More information about the asterisk-commits
mailing list