From: Tilghman Lesher Date: Mon, 15 Nov 2010 07:42:39 +0000 (+0000) Subject: It is possible to crash Asterisk by feeding the curl engine invalid data. X-Git-Tag: 1.6.2.15-rc1~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d7ac1e6d2a88d6e0bb513bf4f5314e71c142518;p=thirdparty%2Fasterisk.git It is possible to crash Asterisk by feeding the curl engine invalid data. (closes issue #18161) Reported by: wdoekes Patches: 20101029__issue18161.diff.txt uploaded by tilghman (license 14) Tested by: tilghman git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@294988 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/funcs/func_curl.c b/funcs/func_curl.c index d10209822c..9d6a0c8460 100644 --- a/funcs/func_curl.c +++ b/funcs/func_curl.c @@ -477,8 +477,11 @@ static int acf_curl_exec(struct ast_channel *chan, const char *cmd, char *info, struct ast_str *fields = ast_str_create(ast_str_strlen(str) / 2); struct ast_str *values = ast_str_create(ast_str_strlen(str) / 2); int rowcount = 0; - while ((piece = strsep(&remainder, "&"))) { + while (fields && values && (piece = strsep(&remainder, "&"))) { char *name = strsep(&piece, "="); + if (!piece) { + piece = ""; + } ast_uri_decode(piece); ast_uri_decode(name); ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name);