I recently removed a potential user initiated crash by removing unnecessary ast_strdupa's in this patch.
The problem is that alloca() does not check whether things will fit in the stack. If they don't fit, asterisk will simply segfault.
This wouldn't be so much of a problem, if it weren't for the limited stack size:
Before the mentioned patch, sending a SIP body that was too large (e.g. 700kB) would trigger the crash. Unfortunately, that isn't the only place where user data is fed to alloca and friends directly.
Anywhere where one of ast_alloca, ast_str_alloca and ast_strdupa is used, case should be taken that the data isn't too large.
While checking for issues in the SIP module, I've found at least three, but I'm pretty sure there are more. All of those are only exploitable if you're using TCP (or TLS) because (fragmented) UDP won't allow packet sizes that big.
- Allow: BIG_STRING
- Content-Type: multipart/mixed;boundary="BIG_STRING"
- sdp body: o=BIG_STRING\nm=audio\n
The easy fix is to cap a SIP packet size to something reasonable like 20K. That's what the attached patch  does.
Patch  makes the alloca's visible. It could be used to scan for other potential problems. (I've rewritten the ast_verbose alloca to use C99 variable length arrays. That suffers from the same problem, but it declutters the output.)