|Summary:||ASTERISK-17959: Buffer overflow in custom_prepare|
|Reporter:||Mikael Carlsson (mickecarlsson)||Labels:|
|Date Opened:||2011-06-03 12:14:23||Date Closed:||2012-09-05 08:32:37|
|Environment:||Attachments:||( 0) bt_full.txt|
|Description:||If writing to realtime when using odbc asterisk crash when there are a ';' in the data.|
****** ADDITIONAL INFORMATION ******
I am stretching this a bit, but I am testing 17682, astdb over realtime. When I used res_mysql it worked perfectly, but when I switched to odbc Asterisk crashed as soon as a SIP phone registered.
I traced it to what I believe is a buffer overflow in res_condfig_odbc.c, and that is that *data is copied to *cps in struct custom_prepare_struct *cps = data;
Later in the code if there is a ';' in the *data it is changed to ^3B. And that adds two more bytes to the data buffer. Later in the code the use of ast_string_field_set(cps, encoding[x], encodebuf); sets the added buffer back to cps causing an overflow and asterisk crashes.
|Comments:||By: Mikael Carlsson (mickecarlsson) 2011-06-03 14:34:13|
Issue 17369 is related
By: Mikael Carlsson (mickecarlsson) 2011-06-08 12:23:18.134-0500
Reference to relation in jira is ASTERISK-16123
By: Matt Jordan (mjordan) 2012-09-05 08:32:37.863-0500
Fixed in ASTERISK-16123