Summary: | ASTERISK-00782: [patch] possible SIP buffer overflow | ||
Reporter: | Tilghman Lesher (tilghman) | Labels: | |
Date Opened: | 2004-01-11 12:00:10.000-0600 | Date Closed: | 2008-01-15 14:40:30.000-0600 |
Priority: | Minor | Regression? | No |
Status: | Closed/Complete | Components: | Core/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) 20040111__chan_sip_buffer_overflow_2.diff.txt ( 1) 20040111__chan_sip_buffer_overflow.diff.txt | |
Description: | get_msg_text() does not properly check the length of buf before writing into it. If there is only one line of message to be written, it's fine, but for multiple lines, arbitrary data could be overwritten. ****** ADDITIONAL INFORMATION ****** This mainly deals with the function strncat, where the n stands for number of bytes in the src, not the dest. | ||
Comments: | By: Brian West (bkw918) 2004-01-11 12:58:56.000-0600 Fixed in CVS. By: Tilghman Lesher (tilghman) 2004-01-11 13:08:11.000-0600 Found a few more... By: jerjer (jerjer) 2004-01-11 13:44:07.000-0600 overflow 2 added to cvs. By: Digium Subversion (svnbot) 2008-01-15 14:40:30.000-0600 Repository: asterisk Revision: 1951 U trunk/channels/chan_sip.c ------------------------------------------------------------------------ r1951 | jeremy | 2008-01-15 14:40:29 -0600 (Tue, 15 Jan 2008) | 2 lines check buffer for possible overflow. Thanks Corydon76 Bug ASTERISK-782 ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=1951 |