Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2011-008 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
From: Kinsey Moore <kmoore@digium.com>
Date: Thu, 23 Jun 2011 18:21:12 +0000
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=324643
Subject: Addresses AST-2011-008, memory corruption and remote crash in SIP driver.

If a remote user sends a SIP packet containing a null, Asterisk assumes
available data extends past the null to the end of the packet when the
buffer is actually truncated when copied.  This causes SIP header parsing
to modify data past the end of the buffer altering unrelated memory
structures.  This vulnerability does not affect TCP/TLS connections.

CVE: CVE-2011-2529
See also http://downloads.asterisk.org/pub/security/AST-2011-008.html

---
 channels/chan_sip.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 7908a14..2981eb6 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -22706,7 +22706,8 @@ static int sipsock_read(int *id, int fd, short events, void *ignore)
 		return -1;
 	}
 
-	req.len = res;
+	/* req.data will have the correct length in case of nulls */
+	req.len = ast_str_strlen(req.data);
 	req.socket.fd = sipsock;
 	set_socket_transport(&req.socket, SIP_TRANSPORT_UDP);
 	req.socket.tcptls_session	= NULL;
-- 
1.7.5.4