[Asterisk-code-review] app voicemail/IMAP: IMAP access FATAL error: Out of memory (asterisk[13])
Alexei Gradinari
asteriskteam at digium.com
Thu Apr 7 11:46:30 CDT 2016
Alexei Gradinari has uploaded a new change for review.
https://gerrit.asterisk.org/2545
Change subject: app_voicemail/IMAP: IMAP access FATAL error: Out of memory
......................................................................
app_voicemail/IMAP: IMAP access FATAL error: Out of memory
Sometimes uw-imap function 'mail_fetchbody' returns huge len
which then pass to uw-imap function 'rfc822_base64'.
uw-imap tries to allocate huge memory and abort() on fail.
This patch check the len.
If the len more than max size (128 Mbytes) log error.
This patch also set variables len, newlen to avoid uninizialezed len.
This patch also check pointer returned by rfc822_base64.
Change-Id: I4a0e7d655f11abef6a5224e2169df6d5c1f1caca
---
M apps/app_voicemail.c
1 file changed, 11 insertions(+), 2 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/45/2545/1
diff --git a/apps/app_voicemail.c b/apps/app_voicemail.c
index 0755c44..ae42f7d 100644
--- a/apps/app_voicemail.c
+++ b/apps/app_voicemail.c
@@ -580,6 +580,8 @@
#define INTRO "vm-intro"
+#define MAX_MAIL_BODY_CONTENT_SIZE 134217728L // 128 Mbyte
+
#define MAXMSG 100
#define MAXMSGLIMIT 9999
@@ -3631,15 +3633,22 @@
if (!body || body == NIL)
return -1;
+ len=newlen=0;
ast_mutex_lock(&vms->lock);
body_content = mail_fetchbody(vms->mailstream, vms->msgArray[vms->curmsg], section, &len);
ast_mutex_unlock(&vms->lock);
- if (body_content != NIL) {
+ if (len > MAX_MAIL_BODY_CONTENT_SIZE) {
+ ast_log(AST_LOG_ERROR,
+ "Msgno %ld, section %s. The body's content size %ld is huge (max %ld). User:%s, mailbox %s\n",
+ vms->msgArray[vms->curmsg], section, len, MAX_MAIL_BODY_CONTENT_SIZE, vms->imapuser, vms->username);
+ return -1;
+ }
+ if (body_content != NIL && len) {
snprintf(filename, sizeof(filename), "%s.%s", fn, format);
/* ast_debug(1, body_content); */
body_decoded = rfc822_base64((unsigned char *) body_content, len, &newlen);
/* If the body of the file is empty, return an error */
- if (!newlen) {
+ if (!newlen || !body_decoded) {
return -1;
}
write_file(filename, (char *) body_decoded, newlen);
--
To view, visit https://gerrit.asterisk.org/2545
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I4a0e7d655f11abef6a5224e2169df6d5c1f1caca
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Owner: Alexei Gradinari <alex2grad at gmail.com>
More information about the asterisk-code-review
mailing list