FS-10001: [core] Fix Buffer overflow collecting digits

author Mike Jerris <mike@jerris.com>

Mon, 6 Mar 2017 18:51:29 +0000 (12:51 -0600)

committer Mike Jerris <mike@jerris.com>

Mon, 6 Mar 2017 18:51:29 +0000 (12:51 -0600)
author Mike Jerris <mike@jerris.com>
Mon, 6 Mar 2017 18:51:29 +0000 (12:51 -0600)
committer Mike Jerris <mike@jerris.com>
Mon, 6 Mar 2017 18:51:29 +0000 (12:51 -0600)
diff --git a/src/mod/applications/mod_dptools/mod_dptools.c b/src/mod/applications/mod_dptools/mod_dptools.c

index 937d214827d5ddf834ec43d06a0b3dc57990537d..04f35b538f1fae0b9bbb179c23864f1d82390016 100644 (file)
--- a/src/mod/applications/mod_dptools/mod_dptools.c
+++ b/src/mod/applications/mod_dptools/mod_dptools.c
@@ -935,6 +935,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
                                         if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) {
                                                 switch_ivr_play_file(session, NULL, file, NULL);
                                         }
+                                       buf[0] = '\0';
                                         switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0);
                                         continue;
                                 }
@@ -954,6 +955,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
                                                                 if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) {
                                                                         switch_ivr_play_file(session, NULL, file, NULL);
                                                                 }
+                                                               buf[0] = '\0';
                                                                 switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0);
                                                         }
                                                 }
@@ -962,6 +964,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
                                         if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_idle"))) {
                                                 switch_ivr_play_file(session, NULL, file, NULL);
                                         }
+                                       buf[0] = '\0';
                                         switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 2000, 0, 0);
                                 }
                         }
diff --git a/src/switch_ivr.c b/src/switch_ivr.c

index 76d0158b1a1dbd8113dbae00c7b31c5164d6367b..770c3bb81f60f461f504e5b4fa128847a7fff775 100644 (file)
--- a/src/switch_ivr.c
+++ b/src/switch_ivr.c
@@ -1333,6 +1333,11 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_collect_digits_count(switch_core_sess
         int sval = 0;
         const char *var;
  
+
+       if (x >= buflen || x >= maxdigits) {
+               return SWITCH_STATUS_FALSE;
+       }
+
         if ((var = switch_channel_get_variable(channel, SWITCH_SEND_SILENCE_WHEN_IDLE_VARIABLE)) && (sval = atoi(var))) {
                 switch_core_session_get_read_impl(session, &imp);
author	Mike Jerris <mike@jerris.com>
	Mon, 6 Mar 2017 18:51:29 +0000 (12:51 -0600)
committer	Mike Jerris <mike@jerris.com>
	Mon, 6 Mar 2017 18:51:29 +0000 (12:51 -0600)
src/mod/applications/mod_dptools/mod_dptools.c		patch \| blob \| blame \| history
src/switch_ivr.c		patch \| blob \| blame \| history