ASTERISK-12576: [patch] asterisk crashes when SPRINTF function has too few arguments

[Home]

Summary: ASTERISK-12576: [patch] asterisk crashes when SPRINTF function has too few arguments

Reporter: adomjan (adomjan) Labels:

Date Opened: 2008-08-13 09:47:44 Date Closed: 2008-08-15 09:42:38

Priority: Critical Regression? No

Status: Closed/Complete Components: Functions/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) 20080813__bug13299.diff.txt
( 1) func_strings.c-sprintf.patch

Description: reproduce:
Set(num=5)
Set(string="a%ib%ic%id")
NoOP(${SPRINTF("${string}",${num},${num})})

crash:
==27040==
==27040== Thread 30:
==27040== Invalid read of size 1
==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040== by 0x30F086EE19: _IO_str_init_static_internal (in /lib64/libc-2.5.so)
==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040== by 0xF2C95BA: ??? (func_strings.c:499)
==27040== by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040== by 0x49F6EF: pbx_substitute_variables_helper_full (pbx.c:2908)
==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040== by 0x4D8C8B: dummy_start (utils.c:917)
==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==27040==
==27040== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==27040== Access not within mapped region at address 0x0
==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040== by 0x30F086EE19: _IO_str_init_static_internal (in /lib64/libc-2.5.so)
==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040== by 0xF2C95BA: ??? (func_strings.c:499)
==27040== by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040== by 0x49F6EF: pbx_substitute_variables_helper_full (pbx.c:2908)
==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040== by 0x4D8C8B: dummy_start (utils.c:917)
==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040==

Comments: By: adomjan (adomjan) 2008-08-14 03:38:51

I found another bug in SPRINTF, in some cases returns longer string than expected:

dialplan (ael):
i=1;
vars="route_%i_skbk,route_%i_name,route_%i_metric";
NoOP(${SPRINTF("${vars}",${i},${i},${i})});

the result:
[Aug 14 10:41:33] -- Executing [5238@test-nums:3] Set("SIP/teszt-3622622222-095eada0", "i=1") in new stack
[Aug 14 10:41:33] -- Executing [5238@test-nums:4] Set("SIP/teszt-3622622222-095eada0", "vars="route_%i_skbk,route_%i_name,route_%i_metric"") in new stack
[Aug 14 10:41:33] -- Executing [5238@test-nums:5] NoOp("SIP/teszt-3622622222-095eada0", "route_1_skbk,route_1_name,route_1_metricv??*") in new stack
By: adomjan (adomjan) 2008-08-15 09:03:50

I fixed the missing '\0' string termination, patch uploaded.
By: Digium Subversion (svnbot) 2008-08-15 09:42:35

Repository: asterisk
Revision: 138023

U branches/1.4/funcs/func_strings.c

------------------------------------------------------------------------
r138023 | tilghman | 2008-08-15 09:42:32 -0500 (Fri, 15 Aug 2008) | 8 lines

Additional check for more string specifiers than arguments.
(closes issue ASTERISK-12576)
Reported by: adomjan
Patches:
20080813__bug13299.diff.txt uploaded by Corydon76 (license 14)
func_strings.c-sprintf.patch uploaded by adomjan (license 487)
Tested by: adomjan

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=138023