[Asterisk-code-review] cel pgsql.c: Fix buffer overflow calling libpq (asterisk[13.15])
twisted
asteriskteam at digium.com
Mon Mar 27 12:03:58 CDT 2017
twisted has uploaded a new change for review. ( https://gerrit.asterisk.org/5332 )
Change subject: cel_pgsql.c: Fix buffer overflow calling libpq
......................................................................
cel_pgsql.c: Fix buffer overflow calling libpq
PQEscapeStringConn() expects the buffer passed in to be an
adequitely sized buffer to write out the escaped SQL value string
into. It is possible, for large values (such as large values to
Dial with a lot of devices) to have more than our 512+1 byte
allocation and thus cause libpq to create a buffer overrun.
glibc will nicely ABRT asterisk for you, citing a stack smash.
This resolves it.
ASTERISK-26896 #close
Change-Id: I580f567eec0fdeec4ee739465b5ad38ec1acfd3f
---
M cel/cel_pgsql.c
1 file changed, 11 insertions(+), 1 deletion(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/32/5332/1
diff --git a/cel/cel_pgsql.c b/cel/cel_pgsql.c
index 61e3c8d..d16246c 100644
--- a/cel/cel_pgsql.c
+++ b/cel/cel_pgsql.c
@@ -184,9 +184,12 @@
if (connected) {
struct columns *cur;
struct ast_str *sql = ast_str_create(maxsize), *sql2 = ast_str_create(maxsize2);
- char buf[257], escapebuf[513];
+ char buf[257];
+ char *escapebuf;
const char *value;
int first = 1;
+
+ escapebuf = malloc(sizeof(char) * 513);
if (!sql || !sql2) {
goto ast_log_cleanup;
@@ -312,6 +315,13 @@
/* XXX Might want to handle dates, times, and other misc fields here XXX */
} else {
if (value) {
+ /* If our argument size exceeds our buffer, grow it,
+ * as PQescapeStringConn() expects the buffer to be
+ * adequitely sized and does *NOT* do size checking.
+ */
+ if (strlen(value) >= sizeof(escapebuf)) {
+ escapebuf = (char *)realloc(escapebuf, strlen(value) + 1);
+ }
PQescapeStringConn(conn, escapebuf, value, strlen(value), NULL);
} else {
escapebuf[0] = '\0';
--
To view, visit https://gerrit.asterisk.org/5332
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I580f567eec0fdeec4ee739465b5ad38ec1acfd3f
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 13.15
Gerrit-Owner: twisted <josh at asteriasgi.com>
More information about the asterisk-code-review
mailing list