Summary:ASTERISK-04498: [patch] ast_recvtext function assumes text received is null terminated
Reporter:Sarah Nordstrom (sarahemm)Labels:
Date Opened:2005-06-29 00:47:55Date Closed:2008-01-15 15:39:56.000-0600
Versions:Frequency of
Environment:Attachments:( 0) recvtext-fixnull-20050629-sn-0.diff
Description:The ast_recvtext() function in channel.c assumes strings sent in frames are null terminated.  This is valid for some functions sending strings, but not others which do not null-terminate the strings sent in frames.  If a string received by ast_recvtext() is not null terminated, the function could potentially read past the end of the assigned memory and cause a SEGV.


The attached patch fixes the issue by making ast_recvtext use a NULL in the string, or the passed length of the string in the frame structure (changes strdup to strndup).
This issue doesn't always cause a crash, but always causes problems with ast_recvtext() if used with functions that do not terminate strings (such as TDD mode on Zap channels) by receiving lots of garbage after the string.  It could sometimes cause a crash.
Comments:By: Sarah Nordstrom (sarahemm) 2005-07-02 14:20:08

Please remove patch sendtext-fixterm-20050702-sn-0.diff, as it was meant for another bug, not this one.

By: Kevin P. Fleming (kpfleming) 2005-07-05 15:44:06

Committed to CVS HEAD, thanks!

By: Digium Subversion (svnbot) 2008-01-15 15:39:56.000-0600

Repository: asterisk
Revision: 6030

U   trunk/channel.c

r6030 | kpfleming | 2008-01-15 15:39:56 -0600 (Tue, 15 Jan 2008) | 2 lines

ensure that text frames are copied correctly even if they are not null-terminated (bug ASTERISK-4498)