When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue. When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue. The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun. This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.
(closes issue ASTERISK-19592)
Reported by: Russell Bryant
git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@363100
65c4cc65-6c06-0410-ace0-
fbb531ad65f3
static int handle_message(struct skinny_req *req, struct skinnysession *s)
{
int res = 0;
+ size_t len;
if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
}
- d->exten[strlen(d->exten)] = dgt;
- d->exten[strlen(d->exten)+1] = '\0';
+ len = strlen(d->exten);
+ if (len < sizeof(d->exten) - 1) {
+ d->exten[len] = dgt;
+ d->exten[len + 1] = '\0';
+ } else {
+ ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+ }
} else
res = handle_keypad_button_message(req, s);
}
projects / thirdparty / asterisk.git / commitdiff
