1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Origin: http://downloads.asterisk.org/pub/security/AST-2012-002-1.6.2.diff
Author: Russell Bryant <russell@russellbryant.com>
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19541
Fixes a buffer overflow in the Milliwatt dialplan application. Note that
exploiting it is probably tricky: requires, among others, that the
Milliwatt application is used (e.g. in the dialplan) with the option 'o'.
--- a/apps/app_milliwatt.c
+++ b/apps/app_milliwatt.c
@@ -74,7 +74,7 @@ static void milliwatt_release(struct ast
static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples)
{
unsigned char buf[AST_FRIENDLY_OFFSET + 640];
- const int maxsamples = ARRAY_LEN(buf);
+ const int maxsamples = ARRAY_LEN(buf) - (AST_FRIENDLY_OFFSET / sizeof(buf[0]));
int i, *indexp = (int *) data;
struct ast_frame wf = {
.frametype = AST_FRAME_VOICE,
|
