Summary:	ASTERISK-04498: [patch] ast_recvtext function assumes text received is null terminated
Reporter:	Sarah Nordstrom (sarahemm)	Labels:
Date Opened:	2005-06-29 00:47:55	Date Closed:	2008-01-15 15:39:56.000-0600
Priority:	Critical	Regression?	No
Status:	Closed/Complete	Components:	Core/General
Versions:		Frequency of Occurrence
Related Issues:
Environment:		Attachments:	( 0) recvtext-fixnull-20050629-sn-0.diff
Description:	The ast_recvtext() function in channel.c assumes strings sent in frames are null terminated.  This is valid for some functions sending strings, but not others which do not null-terminate the strings sent in frames.  If a string received by ast_recvtext() is not null terminated, the function could potentially read past the end of the assigned memory and cause a SEGV. ****** ADDITIONAL INFORMATION ****** The attached patch fixes the issue by making ast_recvtext use a NULL in the string, or the passed length of the string in the frame structure (changes strdup to strndup). This issue doesn't always cause a crash, but always causes problems with ast_recvtext() if used with functions that do not terminate strings (such as TDD mode on Zap channels) by receiving lots of garbage after the string.  It could sometimes cause a crash.
Comments:	By: Sarah Nordstrom (sarahemm) 2005-07-02 14:20:08 Please remove patch sendtext-fixterm-20050702-sn-0.diff, as it was meant for another bug, not this one. By: Kevin P. Fleming (kpfleming) 2005-07-05 15:44:06 Committed to CVS HEAD, thanks! By: Digium Subversion (svnbot) 2008-01-15 15:39:56.000-0600 Repository: asterisk Revision: 6030 U   trunk/channel.c ------------------------------------------------------------------------ r6030 | kpfleming | 2008-01-15 15:39:56 -0600 (Tue, 15 Jan 2008) | 2 lines ensure that text frames are copied correctly even if they are not null-terminated (bug ASTERISK-4498) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=6030