It is possible to crash Asterisk by feeding the curl engine invalid data.

(closes issue #18161)
 Reported by: wdoekes
 Patches:
       20101029__issue18161.diff.txt uploaded by tilghman (license 14)
 Tested by: tilghman

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@294988 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/funcs/func_curl.c b/funcs/func_curl.c
index d10209822cc4b92cca182f67d554276bfb85889d..9d6a0c8460c5b1fe399238d1ca7bc2137721dce0 100644 (file)
--- a/funcs/func_curl.c
+++ b/funcs/func_curl.c
@@ -477,8 +477,11 @@ static int acf_curl_exec(struct ast_channel *chan, const char *cmd, char *info,
                        struct ast_str *fields = ast_str_create(ast_str_strlen(str) / 2);
                        struct ast_str *values = ast_str_create(ast_str_strlen(str) / 2);
                        int rowcount = 0;
-                       while ((piece = strsep(&remainder, "&"))) {
+                       while (fields && values && (piece = strsep(&remainder, "&"))) {
                                char *name = strsep(&piece, "=");
+                               if (!piece) {
+                                       piece = "";
+                               }
                                ast_uri_decode(piece);
                                ast_uri_decode(name);
                                ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name);