Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Critical
-
Resolution: Fixed
-
Affects Version/s: SVN
-
Component/s: Applications/app_sms
-
Labels:
-
Environment:Debian 7,1, Kernel 3.2.0-4-686-pae
-
Frequency of Occurrence:Frequent
-
Source Revision Number:399870
Description
In the current HEAD, a buffer overflow in app_sms.c prevents Asterisk from receiving 16 bit multipart SMS, as it runs in an endless loop over the array boundaries.
The function unpacksms16() always expects an even number of bytes to be processed. If, however, the user data header contains an odd number of bytes, the second while-loop never terminates (l is never 0 in the while condition) and it keeps overwriting the boundaries of *i until Asterisk terminates with a SIGSEGFAULT.
The odd number of bytes are according to specification, though (http://www.etsi.org/deliver/etsi_ts%5C123000_123099%5C123040%5C11.05.00_60%5Cts_123040v110500p.pdf page 74).
The error has been reproduced by sending a multipart SMS with 16 bit encoding from Deutsche Telekom and Vodafone to a German landline number, which is handled by Asterisk.
We have addressed this issue by creating a patch, which checks for an odd number of bytes and adds another byte in that case.
The patch that addresses the issue.