Summary:ASTERISK-17959: Buffer overflow in custom_prepare
Reporter:Mikael Carlsson (mickecarlsson)Labels:
Date Opened:2011-06-03 12:14:23Date Closed:2012-09-05 08:32:37
Versions:1.8.4 Frequency of
is related toASTERISK-16123 [patch] realtime shows 2x fullcontact if delimited by ';'
Environment:Attachments:( 0) bt_full.txt
Description:If writing to realtime when using odbc asterisk crash when there are a ';' in the data.


I am stretching this a bit, but I am testing 17682, astdb over realtime. When I used res_mysql it worked perfectly, but when I switched to odbc Asterisk crashed as soon as a SIP phone registered.

I traced it to what I believe is a buffer overflow in res_condfig_odbc.c, and that is that *data is copied to *cps in struct custom_prepare_struct *cps = data;
Later in the code if there is a ';' in the *data it is changed to ^3B. And that adds two more bytes to the data buffer. Later in the code the use of  ast_string_field_set(cps, encoding[x], encodebuf); sets the added buffer back to cps causing an overflow and asterisk crashes.

Comments:By: Mikael Carlsson (mickecarlsson) 2011-06-03 14:34:13

Issue 17369 is related

By: Mikael Carlsson (mickecarlsson) 2011-06-08 12:23:18.134-0500

Reference to relation in jira is ASTERISK-16123

By: Matt Jordan (mjordan) 2012-09-05 08:32:37.863-0500

Fixed in ASTERISK-16123