[asterisk-dev] Config reading and scanf with large numbers
Richard Mudgett
rmudgett at digium.com
Wed Jun 1 11:06:53 CDT 2016
On Wed, Jun 1, 2016 at 5:25 AM, snuffy <snuffy22 at gmail.com> wrote:
> Hello All,
>
> I noticed a bug report ASTERISK-25972,
>
The referenced issue has nothing to do with what you are talking about.
>
> Looking through the code we do the following:
>
> sscanf(string,"%30d",&my_int);
>
> Now issue is an integer can't hold a number of 30 digits in length, 32bit
> ints are safe with 9, and 64bit with 19.
>
> If we set a value of %9d, if there are any more digits after the first 9
> they will be lost but we know the value will be inside the range of an
> integer.
>
> For single value scans, like reading from config files we could 'mitigate'
> by checking the strlen of the value we intend to read before running scanf,
> if return is >9, emit a warning stating their value will be truncated and
> read only the first 9 characters into the integer.
>
> If we use just %d, followed by %n we can see how many characters have been
> consumed, if we determine that it would be too large, emit a warning
> stating that the value is most likely incorrect.
>
>
> Am I barking up the wrong tree? thoughts?
>
The reason Asterisk uses sscanf format specifiers like "%30d" is because of
the AST-2009-005 security issue
where a bug in libc allowed an attacker to crash Asterisk by supplying a
ridiculously long string of digits in a
SIP message and blow the stack.
As far as reading config files with excessively long integers, garbage in
gives garbage out.
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20160601/1a488d68/attachment.html>
More information about the asterisk-dev
mailing list