| Summary: | ASTERISK-19592: Security Vulnerability: heap overflow exists in chan_skinny's handling of KEYPAD_BUTTON_MESSAGE | ||||||
| Reporter: | Matt Jordan (mjordan) | Labels: | |||||
| Date Opened: | 2012-03-26 08:10:01 | Date Closed: | 2012-04-23 08:38:19 | ||||
| Priority: | Major | Regression? | |||||
| Status: | Closed/Complete | Components: | Channels/chan_skinny | ||||
| Versions: | 1.6.2.23 1.8.10.1 10.2.1 | Frequency of Occurrence | |||||
| Related Issues: |
| ||||||
| Environment: | Attachments: | ||||||
| Description: | Reported by Russell Bryant: I believe that chan_skinny is vulnerable to a remotely exploitable heap overflow. File: channels/chan_skinny.c Function: handle_message() case KEYPAD_BUTTON_MESSAGE: If the call is in the right state, there is no bounds checking done when filling up the exten buffer: {code} sub->exten[strlen(sub->exten)] = dgt; sub->exten[strlen(sub->exten)+1] = '\0'; {code} Note by Matt Jordan: Interestingly enough, this was introduced *after* 1.4. Code in 1.4: {code} len = strlen(d->exten); if (len < sizeof(d->exten) - 1) { d->exten[len] = dgt; d->exten[len+1] = '\0'; } else { ast_log(LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt); } {code} Code in 1.6.2+ {code} d->exten[strlen(d->exten)] = dgt; d->exten[strlen(d->exten)+1] = '\0'; {code} | ||||||
| Comments: | |||||||