Summary:ASTERISK-08899: Eval leaks stack data on the end of the result string
Reporter:Mike Jagdis (mjagdis)Labels:
Date Opened:2007-02-27 16:14:05.000-0600Date Closed:2007-03-13 20:56:49
Versions:Frequency of
Description:funcs/func_eval.c:function_eval does "buf[0] = '\0';" but pbx_substitute_variables_helper assumes the buffer is completely zero filled.

I can get data leakage on the end of a ${EVAL(...)} result but I don't have a simple test case. The problem is clear, though. The same confusion may well exist elsewhere.

No patch. Either eval should zero the whole buffer or pbx_substitute_variables_helper should end with a "*cp2 = '\0';". Personally I'd prefer the latter as all this buffer zeroing to save underlying functions null-terminating strings is just _wrong_.
Comments:By: kotique (kotique) 2007-03-13 16:15:07

The same here. Guys, that's awfully wrong.

// ${cutpattern} is "${NEWNUMBER}"

evals to:

Set("SIP/out-b7266f28", "NEWNUMBER=011584146456004ER}")

You see "ER}" at the end of the string ? That's wrong ! In some cases I'm getting the whole SIP conversation dialog in that variable.

By: Tilghman Lesher (tilghman) 2007-03-13 20:56:49

Committed in 58880 and 58881.  Note that the reason why I changed the EVAL code is that it's documented that pbx_substitute_variables_helper should be given a zero-initialized buffer, and EVAL was not in compliance with documentation.