Summary: | ASTERISK-17959: Buffer overflow in custom_prepare | ||||
Reporter: | Mikael Carlsson (mickecarlsson) | Labels: | |||
Date Opened: | 2011-06-03 12:14:23 | Date Closed: | 2012-09-05 08:32:37 | ||
Priority: | Critical | Regression? | No | ||
Status: | Closed/Complete | Components: | Resources/res_config_odbc | ||
Versions: | 1.8.4 | Frequency of Occurrence | |||
Related Issues: |
| ||||
Environment: | Attachments: | ( 0) bt_full.txt | |||
Description: | If writing to realtime when using odbc asterisk crash when there are a ';' in the data. ****** ADDITIONAL INFORMATION ****** I am stretching this a bit, but I am testing 17682, astdb over realtime. When I used res_mysql it worked perfectly, but when I switched to odbc Asterisk crashed as soon as a SIP phone registered. I traced it to what I believe is a buffer overflow in res_condfig_odbc.c, and that is that *data is copied to *cps in struct custom_prepare_struct *cps = data; Later in the code if there is a ';' in the *data it is changed to ^3B. And that adds two more bytes to the data buffer. Later in the code the use of ast_string_field_set(cps, encoding[x], encodebuf); sets the added buffer back to cps causing an overflow and asterisk crashes. | ||||
Comments: | By: Mikael Carlsson (mickecarlsson) 2011-06-03 14:34:13 Issue 17369 is related By: Mikael Carlsson (mickecarlsson) 2011-06-08 12:23:18.134-0500 Reference to relation in jira is ASTERISK-16123 By: Matt Jordan (mjordan) 2012-09-05 08:32:37.863-0500 Fixed in ASTERISK-16123 |