While studying the channels/chan_sip.c from the Asterisk 13 branch I
found suspicious code that might enable a buffer overflow on reception
of a SIP INFO packet.
In channels/chan_sip.c the function handle_request_info() contains the
This code gets the content of the X-ClientCode header, and if the
useclientcode has been enabled for the account, calls
ast_cdr_setuserfield with the supplied value. In turn, ast_cdr_userfield
contains the following:
The strcpy() call has as a target a char array with a fixed size of 256
bytes. No length validation is apparent from the code.
What exactly prevents a malicious remote client from sending a header
that exceeds 256 bytes and overwrites the CDR userfield and whatever
lies beyond it?