Change rawdata buffer from char to unsigned char to prevent
sign-extension of TLV length bytes >= 0x80. On signed-char
platforms (all Asterisk builds due to -fsigned-char in
configure.ac), these values become negative when assigned to
int, bypass the `if (res > 32)` bounds check, and reach
memcpy as size_t producing a ~18 EB read that immediately
crashes with SIGSEGV.
Affects DAHDI analog (FXO) channels only. Not reachable
via SIP, PRI/BRI, or DTMF-based Caller ID.
Fixes: #1839
struct callerid_state {
fsk_data fskd;
- char rawdata[256];
+ unsigned char rawdata[256];
short oldstuff[160];
int oldlen;
int pos;
cid->name[0] = '\0';
cid->flags = 0;
res = cid->rawdata[x++];
- ast_copy_string(cid->number, &cid->rawdata[x], res+1);
+ ast_copy_string(cid->number, (const char *) &cid->rawdata[x], res+1);
x += res;
break;
case 0x21: /* additional information */
} else {
/* SDMF */
ast_debug(6, "SDMF Caller*ID spill received\n");
- ast_copy_string(cid->number, cid->rawdata + 8, sizeof(cid->number));
+ ast_copy_string(cid->number, (const char *) cid->rawdata + 8, sizeof(cid->number));
}
if (!strcmp(cid->number, "P")) {
ast_debug(6, "Caller*ID number is private\n");
projects / thirdparty / asterisk.git / commitdiff
