| Summary: | ASTERISK-11406: ast_print_group misuses strncat | ||
| Reporter: | Norman Franke (norman) | Labels: | |
| Date Opened: | 2008-02-08 19:23:38.000-0600 | Date Closed: | 2008-03-07 00:56:19.000-0600 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 20080209__bug11958.diff.txt | |
| Description: | ast_print_group does things like this: strncat(buf, ", ", buflen); strncat(buf, num, buflen); However, strncat can write size+1 bytes (for the trailing \0.) Callers pass in sizeof(buf), which could case a one-byte buffer overflow. | ||
| Comments: | By: Tilghman Lesher (tilghman) 2008-02-09 10:16:01.000-0600 I have marked this issue as private, because in two cases (chan_misdn and func_enum), there are potential remote security issues. I've uploaded a patch, and we'll look at this further on Monday to reevaluate how serious a security risk response this issue merits. By: Norman Franke (norman) 2008-02-09 23:25:31.000-0600 No problem. I didn't actually experience a crash, just observed this reading through the code. By: Tilghman Lesher (tilghman) 2008-02-11 11:48:09.000-0600 crich: could you take a look at this, please? I need to know whether the size of these chan_misdn elements could ever overflow (even by an aberrant provider) or if this is disqualified by the protocol. By: Tilghman Lesher (tilghman) 2008-02-29 12:06:51.000-0600 crich: ping By: Norman Franke (norman) 2008-03-06 13:15:43.000-0600 It would be nice to get a patch into 1.4.19, if possible. By: Digium Subversion (svnbot) 2008-03-07 00:32:47.000-0600 Repository: asterisk Revision: 106552 U branches/1.4/apps/app_chanspy.c U branches/1.4/apps/app_rpt.c U branches/1.4/apps/app_speech_utils.c U branches/1.4/apps/app_voicemail.c U branches/1.4/channels/chan_misdn.c U branches/1.4/funcs/func_enum.c U branches/1.4/main/asterisk.c U branches/1.4/main/channel.c U branches/1.4/main/frame.c U branches/1.4/main/manager.c ------------------------------------------------------------------------ r106552 | tilghman | 2008-03-07 00:32:44 -0600 (Fri, 07 Mar 2008) | 6 lines Safely use the strncat() function. (closes issue ASTERISK-11406) Reported by: norman Patches: 20080209__bug11958.diff.txt uploaded by Corydon76 (license 14) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=106552 By: Digium Subversion (svnbot) 2008-03-07 00:51:05.000-0600 Repository: asterisk Revision: 106553 _U trunk/ U trunk/apps/app_chanspy.c U trunk/apps/app_rpt.c U trunk/apps/app_speech_utils.c U trunk/apps/app_voicemail.c U trunk/channels/chan_misdn.c U trunk/channels/chan_sip.c U trunk/funcs/func_enum.c U trunk/funcs/func_odbc.c U trunk/funcs/func_strings.c U trunk/main/asterisk.c U trunk/main/channel.c U trunk/main/frame.c U trunk/utils/extconf.c ------------------------------------------------------------------------ r106553 | tilghman | 2008-03-07 00:51:04 -0600 (Fri, 07 Mar 2008) | 14 lines Merged revisions 106552 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r106552 | tilghman | 2008-03-07 00:36:33 -0600 (Fri, 07 Mar 2008) | 6 lines Safely use the strncat() function. (closes issue ASTERISK-11406) Reported by: norman Patches: 20080209__bug11958.diff.txt uploaded by Corydon76 (license 14) ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=106553 By: Digium Subversion (svnbot) 2008-03-07 00:53:56.000-0600 Repository: asterisk Revision: 106554 _U branches/1.6.0/ U branches/1.6.0/apps/app_chanspy.c U branches/1.6.0/apps/app_rpt.c U branches/1.6.0/apps/app_speech_utils.c U branches/1.6.0/apps/app_voicemail.c U branches/1.6.0/channels/chan_misdn.c U branches/1.6.0/channels/chan_sip.c U branches/1.6.0/funcs/func_enum.c U branches/1.6.0/funcs/func_odbc.c U branches/1.6.0/funcs/func_strings.c U branches/1.6.0/main/asterisk.c U branches/1.6.0/main/channel.c U branches/1.6.0/main/frame.c U branches/1.6.0/utils/extconf.c ------------------------------------------------------------------------ r106554 | tilghman | 2008-03-07 00:53:55 -0600 (Fri, 07 Mar 2008) | 22 lines Merged revisions 106553 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r106553 | tilghman | 2008-03-07 00:54:47 -0600 (Fri, 07 Mar 2008) | 14 lines Merged revisions 106552 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r106552 | tilghman | 2008-03-07 00:36:33 -0600 (Fri, 07 Mar 2008) | 6 lines Safely use the strncat() function. (closes issue ASTERISK-11406) Reported by: norman Patches: 20080209__bug11958.diff.txt uploaded by Corydon76 (license 14) ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=106554 By: Tilghman Lesher (tilghman) 2008-03-07 00:56:19.000-0600 There. It'll be in 1.4.19 now. | ||