Package: asterisk / 1:13.14.1~dfsg-2+deb9u4

AST-2017-010.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
From 2b85799512c7536516f50624ce1f13da6fe68dba Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Tue, 3 Oct 2017 16:19:52 -0500
Subject: [PATCH] AST-2017-010: Fix cdr_object_update_party_b_userfield_cb()
 buf overrun

cdr_object_update_party_b_userfield_cb() could overrun the fixed buffer if
the supplied string is too long.  The long string could be supplied by
external means using the CDR(userfield) function.

This may seem reminiscent to AST-2017-001 (ASTERISK_26897) and it is.  The
earlier patch fixed the buffer overrun for Party A's userfield while this
patch fixes the same thing for Party B's userfield.

ASTERISK-27337

Change-Id: I0fa767f65ecec7e676ca465306ff9e0edbf3b652
---
 main/cdr.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/main/cdr.c b/main/cdr.c
index 1424607c99..60532fe9fc 100644
--- a/main/cdr.c
+++ b/main/cdr.c
@@ -3384,7 +3384,8 @@ static int cdr_object_update_party_b_userfield_cb(void *obj, void *arg, void *da
 		}
 		if (it_cdr->party_b.snapshot
 			&& !strcasecmp(it_cdr->party_b.snapshot->name, info->channel_name)) {
-			strcpy(it_cdr->party_b.userfield, info->userfield);
+			ast_copy_string(it_cdr->party_b.userfield, info->userfield,
+				sizeof(it_cdr->party_b.userfield));
 		}
 	}
 	return 0;
@@ -3407,7 +3408,8 @@ void ast_cdr_setuserfield(const char *channel_name, const char *userfield)
 			if (it_cdr->fn_table == &finalized_state_fn_table) {
 				continue;
 			}
-			ast_copy_string(it_cdr->party_a.userfield, userfield, AST_MAX_USER_FIELD);
+			ast_copy_string(it_cdr->party_a.userfield, userfield,
+				sizeof(it_cdr->party_a.userfield));
 		}
 		ao2_unlock(cdr);
 	}
-- 
2.11.0