]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
chan_unistim.c: Prevent overrun of phone_number field.
authorGeorge Joseph <gjoseph@sangoma.com>
Mon, 15 Jun 2026 13:41:10 +0000 (07:41 -0600)
committerGeorge Joseph <gtjoseph@users.noreply.github.com>
Thu, 25 Jun 2026 14:21:09 +0000 (08:21 -0600)
Add a check to key_dial_page() to ensure that dialed digits won't overrun
the phone_number field.

Resolves: #GHSA-3g56-cgrh-95p5

channels/chan_unistim.c

index d008b6bc990689159dd10c25cc85b63fc016d726..95d4b89a9b0712bac9f08e8cb1c5cc772c761e8c 100644 (file)
@@ -455,6 +455,8 @@ static struct unistim_device {
        struct unistim_device *next;
 } *devices = NULL;
 
+#define MAX_PHONE_NUMBER_LENGTH (AST_MAX_EXTENSION - 1)
+
 static struct unistimsession {
        ast_mutex_t lock;
        struct sockaddr_in sin;  /*!< IP address of the phone */
@@ -3577,6 +3579,12 @@ static void key_dial_page(struct unistimsession *pte, char keycode)
        if ((keycode >= KEY_0) && (keycode <= KEY_SHARP)) {
                int i = pte->device->size_phone_number;
 
+               /*
+                * If the phone_number buffer is already full, bail now to prevent an overrun.
+                */
+               if (pte->device->size_phone_number >= MAX_PHONE_NUMBER_LENGTH) {
+                       return;
+               }
                if (pte->device->size_phone_number == 0) {
                        send_tone(pte, 0, 0);
                }