Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2011-001 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Description: Prevent buffer overflows in ast_uri_encode()
Origin: http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diff
Bug-Debian: http://bugs.debian.org/610487

When forming an outgoing SIP request while in pedantic mode, a stack
buffer can be made to overflow if supplied with carefully crafted caller
ID information. This vulnerability also affects the URIENCODE dialplan
function and in some versions of asterisk, the AGI dialplan application
as well. The ast_uri_encode function does not properly respect the size
of its output buffer and can write past the end of it when encoding URIs.

--- a/main/utils.c
+++ b/main/utils.c
@@ -385,28 +385,27 @@ char *ast_uri_encode(const char *string,
 	char *reserved = ";/?:@&=+$,# ";	/* Reserved chars */
 
  	const char *ptr  = string;	/* Start with the string */
-	char *out = NULL;
-	char *buf = NULL;
+	char *out = outbuf;
 
-	ast_copy_string(outbuf, string, buflen);
-
-	/* If there's no characters to convert, just go through and don't do anything */
-	while (*ptr) {
+	/* If there's no characters to convert, just go through and copy the string */
+	while (*ptr && out - outbuf < buflen - 1) {
 		if ((*ptr < 32) || (doreserved && strchr(reserved, *ptr))) {
-			/* Oops, we need to start working here */
-			if (!buf) {
-				buf = outbuf;
-				out = buf + (ptr - string) ;	/* Set output ptr */
+			if (out - outbuf >= buflen - 3) {
+				break;
 			}
+
 			out += sprintf(out, "%%%02x", (unsigned char) *ptr);
-		} else if (buf) {
-			*out = *ptr;	/* Continue copying the string */
+		} else {
+			*out = *ptr;	/* copy the character */
 			out++;
-		} 
+		}
 		ptr++;
 	}
-	if (buf)
+
+	if (buflen) {
 		*out = '\0';
+	}
+
 	return outbuf;
 }