| Summary: | ASTERISK-00800: [patch] Misc Bugs (Look at note for more bugs) | ||
| Reporter: | mochouinard (mochouinard) | Labels: | |
| Date Opened: | 2004-01-12 01:33:31.000-0600 | Date Closed: | 2008-01-15 14:42:03.000-0600 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) asterisk-history.patch | |
| Description: | Buffer overflow in cli.c somewhere, it segment when shutting down *CLI> show applications ZapRAS ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScanZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScanZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScanZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan Jan 12 02:15:49 WARNING[1074398976]: cli.c:838 parse_args: Too many arguments, truncating Jan 12 02:15:49 WARNING[1074398976]: cli.c:838 parse_args: Too many arguments, truncating *CLI> *CLI> stop now Beginning asterisk shutdown.... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1074398976 (LWP 7818)] 0x42074ee0 in _int_realloc () from /lib/tls/libc.so.6 (gdb) bt full #0 0x42074ee0 in _int_realloc () from /lib/tls/libc.so.6 No symbol table info available. #1 0x42073a46 in realloc () from /lib/tls/libc.so.6 No symbol table info available. #2 0x0809e25c in history_save (h=0x80de050, fname=0xbffff1d0 "/root/.asterisk_history") at history.c:664 fp = (FILE *) 0x80e0e68 ev = {num = 7, str = 0x80e24b8 "show applications ZapRAS ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan ZapScan"...} i = 6 retval = 808726616 max_size = 51 ptr = 0x80e2900 "ions\\040ZapRAS\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapScan\\040ZapSca"... #3 0x0809e593 in history (h=0x80de050, ev=0xbffff188, fun=135385200) at history.c:821 va = 0x30343058 <Address 0x30343058 out of bounds> str = 0x0 retval = 135385200 #4 0x080833be in ast_el_write_history (filename=0x30343058 <Address 0x30343058 out of bounds>) at asterisk.c:1060 ev = {num = 0, str = 0x80c43b0 "OK"} ASTERISK-1 0x08084eab in quit_handler (num=0, nice=-1073745464, safeshutdown=1, restart=0) at asterisk.c:505 filename = "/root/.asterisk_history", '\0' <repeats 56 times> s = 1073891755 e = 1073891755 x = -1073745464 ASTERISK-2 0x08085389 in handle_shutdown_now (fd=1, argc=2, argv=0xbffff2d0) at asterisk.c:697 No locals. ASTERISK-3 0x0806ddaa in ast_cli_command (fd=1, s=0x30343058 <Address 0x30343058 out of bounds>) at cli.c:1007 argv = {0x80e5af8 "stop", 0x80e5afd "now", 0x0, 0x8111e78 "", 0x2 <Address 0x2 out of bounds>, 0x10 <Address 0x10 out of bounds>, 0x42133220 "\001", 0x421328d4 "à'\023Bðé\001@°Â", 0x42133220 "\001", 0x1 <Address 0x1 out of bounds>, 0xbffff318 "8óÿ¿\006¦\aB\200\036\021\bÀÉ\r\b\t", 0x4207378d "\205À\211Çt\031e\203=\f", 0x42133220 "\001", 0x9 <Address 0x9 out of bounds>, 0x42133220 "\001", 0x421328d4 "à'\023Bðé\001@°Â", 0x9 <Address 0x9 out of bounds>, 0x80dc9c0 "stop now", 0xbffff338 "hóÿ¿ïÜ\t\bÀÉ\r\b", 0x4207a606 "\211Â\213]ô\211Ð\213uø\213}ü\211ì]Ã\220\220\220\220\220\220\220\220\220U\211å\203ì\030\211}ü\213E\f\213}\b\211]ô\211uøè\023¯ùÿ\201Ã\232\202\v", 0x8111e80 "stop now", 0x80dc9c0 "stop now", 0x9 <Address 0x9 out of bounds>, 0x80de080 "", 0x810eff8 "\t", 0xbffff418 "\t", 0xbffff368 "\210óÿ¿tÝ\t\b\200à\r\b\030ôÿ¿ÀÉ\r\b", 0x809dcef "\211F\004\203Ä\020\203{\020", 0x80dc9c0 "stop now", 0x0, 0xbffff368 "\210óÿ¿tÝ\t\b\200à\r\b\030ôÿ¿ÀÉ\r\b", 0x4206d3d6 "ºÿÿÿÿ9ðuÓëÏë\r", '\220' <repeats 13 times>, "U\211åWVSèR\201úÿ\201ÃÙT\f", 0x42130d00 "\204*û", 0x40016000 "Beginning asterisk shutdown....\nG\e[0;37;40m[1074398976]: \e[1;37;40mcli.c\e[0;37;40m:\e[1;37;40m838\e[0;37;40m \e[1;37;40mparse_args\e[0;37;40m: 40m: : ", 0xa <Address 0xa out of bounds>, 0x80de080 "", 0xbffff418 "\t", 0xbffff418 "\t", 0xbffff388 "èóÿ¿¶ä\t\b\200à\r\b\030ôÿ¿ÀÉ\r\b¤\034\006BÀóÿ¿", 0x809dd74 "\203Ä\020ºÿÿÿÿ\203øÿt-\213C\030;C\024~ \205À~\034\203ì\004ÿs\fVSèèþÿÿ\203Ä\020\213C\030;C\024~\004\205À\177äº", 0x80de080 "", 0xbffff418 "\t", 0x80dc9c0 "stop now", 0x0, 0xbffff418 "\t", 0x80de050 "\200à\r\b\t", 0xbffff3e8 "x÷ÿ¿0?\b\b\001", 0x809e4b6 "\211Â\203Ä\020\203øÿ\017\204É\001", 0x80de080 "", 0xbffff418 "\t", 0x80dc9c0 "stop now", 0x42061ca4 "ëà\211|$\b\213\203@\001", 0xbffff3c0 "°\207\002@", 0x0, 0x42130d00 "\204*û", 0xffffffff <Address 0xffffffff out of bounds>, 0x80d5e80 "\210~\r\b", 0x9 <Address 0x9 out of bounds>, 0x4204542d "\201çÔ\016", 0x1 <Address 0x1 out of bounds>, 0x400287b0 "U\211å\213E\b\213PH\213B\004H\211B\004\205Àu\rÇB\b", 0x42130d00 "\204*û", 0x0, 0x0} e = (struct ast_cli_entry *) 0x80c9f40 ---Type <return> to continue, or q <return> to quit--- x = 2 dup = 0x80e5af8 "stop" ASTERISK-4 0x08083f30 in main (argc=135121344, argv=0x80c9f40) at asterisk.c:602 title = "Asterisk Console on 'data1.mtl.mccarthy.ca' (pid 7818)\000@ÿÿ\017\000Q", '\0' <repeats 55 times>, "A\231\000@¥\r\001B$ì\001@A\231\000@f \002@¬é\001@û\230\000@ðT\001@xç\001@\000\000\000\000\034õÿ¿\215\226\000@]\016\001Bô \002@\n\n\000@ \a\000@\000\001\000\000t\016\001B`½\000BÀ3\000Bðé\001@\b\000\000\000,í\001@ðT\001@\234á\001@v\022\002@üõÿ¿v\206\000@v\022\002@D\005\236\004\\\v\002@¬õÿ¿H"... c = 88 'X' filename = "/root/.asterisk_history", '\0' <repeats 56 times> hostname = "data1.mtl.mccarthy.ca\000\023B \000\000\000t\016\001B`½\000BÀ3\000Bðé\001@\b\000\000\000,í\001@ðT\001@\224X\001@kÒ\004\b0÷ÿ¿v\206\000@kÒ\004\b\216ÿw\001<¹\004\bàöÿ¿HX\001@\006\000\000\000pí\001@\000\000\000\000\001", '\0' <repeats 12 times>, "(no öÿ¿\000\000\000\000 \000\000\000\000\000\200\000ÿÿÿÿÐ.\002@\000\000\000\000\001\000\000\000\000\000\000\000\237\205\000@ðT\001@S\037\000\000àöÿ¿\f÷ÿ¿\003Ä\000@\214ë\001@\000\000\000\000\216ÿw\001p÷ÿ¿øV\001@\000\000"... tmp = "\e[1;37;40mAsterisk Ready.\n\e[0;37;40m\000Ü\000B\202\211¹\npj\000Blöÿ¿A\231\000@«Î\004\b¬é\001@û\230\000@ðT\001@xç\001@\000\000\000" xarg = 0xbffff2d0 "øZ\016\býZ\016\b" x = 135385200 f = (FILE *) 0x80dc9c0 sigs = {__val = {134238211, 0 <repeats 31 times>}} num = 9 buf = 0x80dc9c0 "stop now" ASTERISK-5 0x42015704 in __libc_start_main () from /lib/tls/libc.so.6 No symbol table info available. | ||
| Comments: | By: Brian West (bkw918) 2004-01-14 01:21:05.000-0600 ABUSE... good job :P not sure how to tackle this one! By: James Golovich (jamesgolovich) 2004-01-14 01:54:24.000-0600 I was able to reproduce this easily. One simple fix would be to limit the size of a history entry that gets added in ast_el_add_history. Since clearly other parts of the cli won't handle the long lines I don't see any problem limiting the length I think 256 characters should be enough, patch attached By: Mark Spencer (markster) 2004-01-23 13:20:56.000-0600 Fixed in CVS, thanks! By: Digium Subversion (svnbot) 2008-01-15 14:42:03.000-0600 Repository: asterisk Revision: 2064 U trunk/asterisk.c ------------------------------------------------------------------------ r2064 | markster | 2008-01-15 14:42:03 -0600 (Tue, 15 Jan 2008) | 2 lines Fix overflow in too many arguments (bug ASTERISK-800) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=2064 | ||