From: Milan Kyselica Date: Wed, 25 Mar 2026 22:29:46 +0000 (+0100) Subject: callerid: fix signed char causing crash in MDMF parser X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=3e0817d8e6352f2eb54f80b150f598d4bb11e44e;p=thirdparty%2Fasterisk.git callerid: fix signed char causing crash in MDMF parser Change rawdata buffer from char to unsigned char to prevent sign-extension of TLV length bytes >= 0x80. On signed-char platforms (all Asterisk builds due to -fsigned-char in configure.ac), these values become negative when assigned to int, bypass the `if (res > 32)` bounds check, and reach memcpy as size_t producing a ~18 EB read that immediately crashes with SIGSEGV. Affects DAHDI analog (FXO) channels only. Not reachable via SIP, PRI/BRI, or DTMF-based Caller ID. Fixes: #1839 --- diff --git a/main/callerid.c b/main/callerid.c index 957db01466..381e83a9b8 100644 --- a/main/callerid.c +++ b/main/callerid.c @@ -44,7 +44,7 @@ struct callerid_state { fsk_data fskd; - char rawdata[256]; + unsigned char rawdata[256]; short oldstuff[160]; int oldlen; int pos; @@ -440,7 +440,7 @@ int callerid_feed_jp(struct callerid_state *cid, unsigned char *ubuf, int len, s cid->name[0] = '\0'; cid->flags = 0; res = cid->rawdata[x++]; - ast_copy_string(cid->number, &cid->rawdata[x], res+1); + ast_copy_string(cid->number, (const char *) &cid->rawdata[x], res+1); x += res; break; case 0x21: /* additional information */ @@ -782,7 +782,7 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, stru } else { /* SDMF */ ast_debug(6, "SDMF Caller*ID spill received\n"); - ast_copy_string(cid->number, cid->rawdata + 8, sizeof(cid->number)); + ast_copy_string(cid->number, (const char *) cid->rawdata + 8, sizeof(cid->number)); } if (!strcmp(cid->number, "P")) { ast_debug(6, "Caller*ID number is private\n");