kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-12 15:45:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix remotely exploitable stack overrun in Milliwatt

Browse Source 
Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option.  This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.

This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed.  Note that at no
point is remote code execution possible.  The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.

(issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
  milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
  Note that this patch was written by Russell, even though Matt uploaded it



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@359615 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Matthew Jordan
2012-03-15 18:20:49 +00:00
parent 14fdd09490
commit 8235a16c2b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/app_milliwatt.c
View File

@@ -77,7 +77,7 @@ static void milliwatt_release(struct ast_channel *chan, void *data)
static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples)
{
unsigned char buf[AST_FRIENDLY_OFFSET + 640];
const int maxsamples = sizeof (buf) / sizeof (buf[0]);
const int maxsamples = (sizeof (buf) / sizeof (buf[0])) - (AST_FRIENDLY_OFFSET / sizeof(buf[0]));
int i, *indexp = (int *) data;
struct ast_frame wf = {
.frametype = AST_FRAME_VOICE,