| Summary: | ASTERISK-26896: Overflow of buffer to PQEscapeStringConn with large app_args causes ABRT | ||
| Reporter: | twisted (twisted) | Labels: | |
| Date Opened: | 2017-03-24 16:22:28 | Date Closed: | 2017-03-30 11:14:42 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | CEL/cel_pgsql |
| Versions: | 11.25.1 13.15.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | If you have more than 513 characters being passed as arguments into a CEL log request (such as the dial app with a large array of devices), the module attempts to pass the char* pointer along with a buffer that is only allocated 513 bytes. PQEscapeStringConn() expects an appropriately sized buffer, and thus overflows our buffer, causing a SIGABRT when glibc detects the stack smash has occurred.
I have a patch that will resize our escape buffer if our value passed exceeds the initial 513 bytes. The data used in this instance was to Dial. {code}Dial(SIP/2643&SIP/2393&SIP/2647&SIP/2997&SIP/2451Polycom&SIP/2400Polycom&SIP/2672&SIP/2366Polycom&SIP/2374&SIP/2405&SIP/2379&SIP/2338&SIP/2455&SIP/2355&SIP/2733&SIP/2531&SIP/2649&SIP/2365&SIP/2404&SIP/2447&SIP/2446&SIP/2541&SIP/2602Polycom&SIP/2387Polycom&SIP/2677&SIP/2735&SIP/2272&SIP/2526Polycom&SIP/2659&SIP/2514&SIP/2737Polycom&SIP/2675Polycom&SIP/2747&SIP/2293&SIP/2407&SIP/2553&SIP/2553Polycom&SIP/2566&SIP/2648&SIP/2422&SIP/2739&SIP/2758&SIP/2692&SIP/2537Polycom&SIP/2605&SIP/2413&SIP/2563&SIP/2204Polycom&SIP/2410Polycom&SIP/2289&SIP/2369&SIP/2445Polycom&SIP/2170Polycom&SIP/2420Polycom&SIP/2421Polycom&SIP/2391&SIP/2758Polycom&SIP/2700&SIP/2217&SIP/2454&SIP/2506,25,t){code} Resulting in an ABRT with **stack smashing detected** pointing at cel_pgsql.c. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2017-03-24 16:22:29.005-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: twisted (twisted) 2017-03-24 16:27:46.007-0500 Patch to fix buffer overflow attached By: Richard Mudgett (rmudgett) 2017-03-24 16:36:38.489-0500 You have to wait for the license agreement to be accepted before you can attach the patch. When it is accepted you need to reattach the patch. You could also put the patch up on gerrit [1] after the license is accepted. [1] https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage By: twisted (twisted) 2017-03-27 11:19:20.604-0500 License was accepted, patch is showing up now. By: twisted (twisted) 2017-03-27 11:56:47.016-0500 Added to Gerrit !5333 Patch on this bug no longer valid. Removed. By: Friendly Automation (friendly-automation) 2017-03-30 05:12:28.725-0500 Change 5333 merged by Joshua Colp: cel_pgsql.c: Fix buffer overflow calling libpq [https://gerrit.asterisk.org/5333|https://gerrit.asterisk.org/5333] By: Friendly Automation (friendly-automation) 2017-03-30 05:13:23.952-0500 Change 5358 merged by Joshua Colp: cel_pgsql.c: Fix buffer overflow calling libpq [https://gerrit.asterisk.org/5358|https://gerrit.asterisk.org/5358] By: Friendly Automation (friendly-automation) 2017-03-30 05:13:42.047-0500 Change 5357 merged by Joshua Colp: cel_pgsql.c: Fix buffer overflow calling libpq [https://gerrit.asterisk.org/5357|https://gerrit.asterisk.org/5357] By: Friendly Automation (friendly-automation) 2017-03-31 07:06:40.713-0500 Change 5365 merged by zuul: cdr_pgsql: Fix buffer overflow calling libpq [https://gerrit.asterisk.org/5365|https://gerrit.asterisk.org/5365] By: Friendly Automation (friendly-automation) 2017-03-31 07:24:34.771-0500 Change 5366 merged by Joshua Colp: cdr_pgsql: Fix buffer overflow calling libpq [https://gerrit.asterisk.org/5366|https://gerrit.asterisk.org/5366] By: Friendly Automation (friendly-automation) 2017-03-31 09:02:37.116-0500 Change 5367 merged by zuul: cdr_pgsql: Fix buffer overflow calling libpq [https://gerrit.asterisk.org/5367|https://gerrit.asterisk.org/5367] | ||