From: Matthew Jordan Date: Mon, 23 Apr 2012 13:30:50 +0000 (+0000) Subject: AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling X-Git-Tag: 1.6.2.24~2^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5991853759c04f6e5592095ba3cf6b395fc32f9e;p=thirdparty%2Fasterisk.git AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling When handling a keypad button message event, the received digit is placed into a fixed length buffer that acts as a queue. When a new message event is received, the length of that buffer is not checked before placing the new digit on the end of the queue. The situation exists where sufficient keypad button message events would occur that would cause the buffer to be overrun. This patch explicitly checks that there is sufficient room in the buffer before appending a new digit. (closes issue ASTERISK-19592) Reported by: Russell Bryant git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@363100 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c index 425f79d394..d4458a91b7 100644 --- a/channels/chan_skinny.c +++ b/channels/chan_skinny.c @@ -6072,6 +6072,7 @@ static int handle_register_available_lines_message(struct skinny_req *req, struc static int handle_message(struct skinny_req *req, struct skinnysession *s) { int res = 0; + size_t len; if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) { ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e); @@ -6137,8 +6138,13 @@ static int handle_message(struct skinny_req *req, struct skinnysession *s) ast_log(LOG_WARNING, "Unsupported digit %d\n", digit); } - d->exten[strlen(d->exten)] = dgt; - d->exten[strlen(d->exten)+1] = '\0'; + len = strlen(d->exten); + if (len < sizeof(d->exten) - 1) { + d->exten[len] = dgt; + d->exten[len + 1] = '\0'; + } else { + ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt); + } } else res = handle_keypad_button_message(req, s); }