| Summary: | ASTERISK-28569: Missing check for variable buf in function config_text_file_load in utils/extconf.c | ||
| Reporter: | Yoooooo Ha (Yooooooha) | Labels: | |
| Date Opened: | 2019-10-07 08:52:43 | Date Closed: | 2019-10-22 12:00:04 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | . I did not set the category correctly. |
| Versions: | 16.6.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | No | Attachments: | |
| Description: | Summary: Missing check for variable buf in while(!feof(f)) loop. The
vulnerability may lead to DoS. {code} while(!feof(f)) { lineno++; if (fgets(buf, sizeof(buf), f)) { //MISSING CHECK HERE!! if ( withcomments ) { CB_ADD(lline_buffer); /* add the current lline buffer to the comment buffer */ lline_buffer[0] = 0; /* erase the lline buffer */ } new_buf = buf; if (comment) process_buf = NULL; else process_buf = buf; while ((comment_p = strchr(new_buf, COMMENT_META))) { {code} The function may skip lines that too long. It is the vulnerability that is same as vulnerability that was fixed in https://issues.asterisk.org/jira/secure/attachment/45489/issueA20658_dont_process_overlong_config_lines.patch (ASTERISK-20658 ) | ||
| Comments: | By: Asterisk Team (asteriskteam) 2019-10-07 08:52:44.879-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. By: Benjamin Keith Ford (bford) 2019-10-07 09:10:38.583-0500 Hello. What problem is it that you encountering? How are you reproducing the problem? Is it able to be reproduced consistently? By: Yoooooo Ha (Yooooooha) 2019-10-07 09:32:56.514-0500 I am not so sure about the bug, since there is no PoC. The function is similar to the one fixed in https://issues.asterisk.org/jira/secure/attachment/45489/issueA20658_dont_process_overlong_config_lines.patch The bug is found by analyzing previous security patches. By: Benjamin Keith Ford (bford) 2019-10-08 08:10:17.652-0500 Is this something you would like to work on? You can submit a patch to Gerrit [1] for review. More information on how to do this can be found here [2]. [1]: https://gerrit.asterisk.org/q/status:open [2]: https://wiki.asterisk.org/wiki/display/AST/Gerrit+Usage By: Asterisk Team (asteriskteam) 2019-10-22 12:00:03.597-0500 Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1]. [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines | ||