[Asterisk-Dev] potential buffer overflow (minor problem)
Todd
goldfita at rose-hulman.edu
Wed Feb 9 09:59:20 MST 2005
Hi guys,
I don't enter 1024 DTFM digits too often, but supposing I were trying to
break something... do we really want to put a null character here in
ast_readstring_full,ast_readstring (channel.c)?
if (!strchr(enders, d))
s[pos++] = d;
if (strchr(enders, d) || (pos >= len)) {
s[pos]='\0';
return 0;
}
I think we want something like this near the beginning:
if (strchr(enders, d) || (pos >= len-1)) {
s[pos]='\0';
return 0;
}
Furthermore, if you look at handle_getdata (res_agi.c), you'll note that
there is nothing here to limit max.
if (argc >= 5)
max = atoi(argv[4]);
else
max = 1024;
Change data[1024] to data[4] and max = 1024 to max = 4 and watch what
happens to asterisk when you enter lots of digits.
-Todd
More information about the asterisk-dev
mailing list