[asterisk-commits] mjordan: branch 1.6.2 r359645 - in /branches/1.6.2: ./ apps/app_milliwatt.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Mar 15 13:32:47 CDT 2012 

Author: mjordan
Date: Thu Mar 15 13:32:44 2012
New Revision: 359645

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=359645
Log:
Fix remotely exploitable stack overrun in Milliwatt

Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option.  This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.  For channels using a format with 
a sample rate less than 32kHz, the buffer overrun should not be possible as
the buffer allocated is sufficient to hold the data, even with no bounds
checking.  For formats with a sample rate greater then 32kHz however, the
fixed length buffer will be overrun.

This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed.  Note that at no
point is remote code execution possible.  The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.

(closes issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
  milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
  Note that this patch was written by Russell, even though Matt uploaded it

Modified:
    branches/1.6.2/   (props changed)
    branches/1.6.2/apps/app_milliwatt.c

Propchange: branches/1.6.2/
------------------------------------------------------------------------------
--- branch-1.4-blocked (original)
+++ branch-1.4-blocked Thu Mar 15 13:32:44 2012
@@ -1,1 +1,1 @@
-/branches/1.4:279344,281185,286070,286381,288116,288412,293922,294163,301869,302916,311199,311201,320055,320393,322657,322698
+/branches/1.4:279344,281185,286070,286381,288116,288412,293922,294163,301869,302916,311199,311201,320055,320393,322657,322698,359615

Modified: branches/1.6.2/apps/app_milliwatt.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.6.2/apps/app_milliwatt.c?view=diff&rev=359645&r1=359644&r2=359645
==============================================================================
--- branches/1.6.2/apps/app_milliwatt.c (original)
+++ branches/1.6.2/apps/app_milliwatt.c Thu Mar 15 13:32:44 2012
@@ -74,7 +74,7 @@
 static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples)
 {
 	unsigned char buf[AST_FRIENDLY_OFFSET + 640];
-	const int maxsamples = ARRAY_LEN(buf);
+	const int maxsamples = ARRAY_LEN(buf) - (AST_FRIENDLY_OFFSET / sizeof(buf[0]));
 	int i, *indexp = (int *) data;
 	struct ast_frame wf = {
 		.frametype = AST_FRAME_VOICE,

More information about the asterisk-commits mailing list