From: Matthew Jordan Date: Thu, 15 Mar 2012 18:20:49 +0000 (+0000) Subject: Fix remotely exploitable stack overrun in Milliwatt X-Git-Tag: 1.4.44~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8235a16c2bd0805575004dff9e9edab09b4d45f9;p=thirdparty%2Fasterisk.git Fix remotely exploitable stack overrun in Milliwatt Milliwatt is vulnerable to a remotely exploitable stack overrun when using the 'o' option. This occurs due to the milliwatt_generate function not accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of samples it can put in the output buffer. This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET when determining the maximum number of samples allowed. Note that at no point is remote code execution possible. The data that is written into the buffer is the pre-defined Milliwatt data, and not custom data. (issue ASTERISK-19541) Reported by: Russell Bryant Tested by: Matt Jordan Patches: milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283) Note that this patch was written by Russell, even though Matt uploaded it git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@359615 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/apps/app_milliwatt.c b/apps/app_milliwatt.c index e9266a6835..fa2c03e8cc 100644 --- a/apps/app_milliwatt.c +++ b/apps/app_milliwatt.c @@ -77,7 +77,7 @@ static void milliwatt_release(struct ast_channel *chan, void *data) static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples) { unsigned char buf[AST_FRIENDLY_OFFSET + 640]; - const int maxsamples = sizeof (buf) / sizeof (buf[0]); + const int maxsamples = (sizeof (buf) / sizeof (buf[0])) - (AST_FRIENDLY_OFFSET / sizeof(buf[0])); int i, *indexp = (int *) data; struct ast_frame wf = { .frametype = AST_FRAME_VOICE,