| Summary: | ASTERISK-24357: [fax] Out of bounds error in update_modem_bits | ||
| Reporter: | Jeremy Lainé (sharky) | Labels: | |
| Date Opened: | 2014-09-26 02:36:53 | Date Closed: | 2014-09-26 10:38:51 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_fax |
| Versions: | 11.13.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) res_fax_bounds.patch | |
| Description: | The update_modem_bits function in res_fax.c suffers from an out of bounds error : it allocates an array "m" of size 5, but can potentially write 6 entries to the array, counting the final NULL value.
As there are only 4 valid values (v17, v27, v29 and v34) for modems, the loop should stop iterating one item earlier. Putting 5 items or more in the "modems" line of res_fax.conf crashes asterisk, for instance: modems=v17,v27,v29,v34,v17 The attached patch fixes the problem. | ||
| Comments: | |||