Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2012-005 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
From cf2f4f0cf2fe5f30b1e033814ef57256a3806825 Mon Sep 17 00:00:00 2001
From: Matthew Jordan <mjordan@digium.com>
Date: Mon, 23 Apr 2012 13:30:50 +0000
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=363100
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-19592
Subject: AST-2012-005: chan_skinny: heap overflow in keypad button handling

When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue.  When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue.  The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun.  This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.

This issue can only be exploited with a registered Skinny phone (configured
in e.g. skinny.conf).

See Also: http://downloads.asterisk.org/pub/security/AST-2012-005.html

Reported by: Russell Bryant

---
 channels/chan_skinny.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -6064,6 +6064,7 @@ static int handle_register_available_lin
 static int handle_message(struct skinny_req *req, struct skinnysession *s)
 {
 	int res = 0;
+	size_t len;
 
 	if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
 		ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
@@ -6129,8 +6130,13 @@ static int handle_message(struct skinny_
 				ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
 			}
 
-			d->exten[strlen(d->exten)] = dgt;
-			d->exten[strlen(d->exten)+1] = '\0';
+			len = strlen(d->exten);
+			if (len < sizeof(d->exten) - 1) {
+				d->exten[len] = dgt;
+				d->exten[len + 1] = '\0';
+			} else {
+				ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+			}
 		} else
 			res = handle_keypad_button_message(req, s);
 		}