From: George Joseph Date: Mon, 15 Jun 2026 13:41:10 +0000 (-0600) Subject: chan_unistim.c: Prevent overrun of phone_number field. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f414ec771eaa3318a4b2d28f70fa387196ae283;p=thirdparty%2Fasterisk.git chan_unistim.c: Prevent overrun of phone_number field. Add a check to key_dial_page() to ensure that dialed digits won't overrun the phone_number field. Resolves: #GHSA-3g56-cgrh-95p5 --- diff --git a/channels/chan_unistim.c b/channels/chan_unistim.c index d008b6bc99..95d4b89a9b 100644 --- a/channels/chan_unistim.c +++ b/channels/chan_unistim.c @@ -455,6 +455,8 @@ static struct unistim_device { struct unistim_device *next; } *devices = NULL; +#define MAX_PHONE_NUMBER_LENGTH (AST_MAX_EXTENSION - 1) + static struct unistimsession { ast_mutex_t lock; struct sockaddr_in sin; /*!< IP address of the phone */ @@ -3577,6 +3579,12 @@ static void key_dial_page(struct unistimsession *pte, char keycode) if ((keycode >= KEY_0) && (keycode <= KEY_SHARP)) { int i = pte->device->size_phone_number; + /* + * If the phone_number buffer is already full, bail now to prevent an overrun. + */ + if (pte->device->size_phone_number >= MAX_PHONE_NUMBER_LENGTH) { + return; + } if (pte->device->size_phone_number == 0) { send_tone(pte, 0, 0); }