asterisk

mirror of https://github.com/asterisk/asterisk.git synced 2025-10-11 15:18:38 +00:00

Files

Matthew Jordan 8235a16c2b Fix remotely exploitable stack overrun in Milliwatt

Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option.  This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.

This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed.  Note that at no
point is remote code execution possible.  The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.

(issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
  milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
  Note that this patch was written by Russell, even though Matt uploaded it



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@359615 65c4cc65-6c06-0410-ace0-fbb531ad65f3

2012-03-15 18:20:49 +00:00

app_adsiprog.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_alarmreceiver.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_amd.c

Total analysis time error with SIP and silence suppression

2010-07-16 17:10:36 +00:00

app_authenticate.c

fix a bunch of potential problems found by gcc 4.3.x, primarily bare strings being passed to printf()-like functions and ignored results from read()/write() and friends

2008-11-01 18:22:39 +00:00

app_cdr.c

Finished up a previous fix to overcome a compiler warning; the app NoCDR() has been updated to mark the channel CDR as POST_DISABLED instead of destroying the CDR; this way its flags are propagated thru a bridge and the CDR is actually dropped. The cases where only one channel in a bridge has a CDR was cleaned up.

2007-04-10 05:18:26 +00:00

app_chanisavail.c

Document a limitation in the AVAILSTATUS variable from ChanIsAvail and provide

2009-11-13 17:19:59 +00:00

app_channelredirect.c

This patch fixes h-exten running misbehavior in manager-redirected

2009-01-28 18:51:16 +00:00

app_chanspy.c

Properly detect when a sound file doesn't exist

2010-09-03 16:10:23 +00:00

app_controlplayback.c

Make sure res is a positive value before performing the check to determine whether the user stopped it or not.

2007-10-22 16:15:18 +00:00

app_dahdibarge.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_dahdiras.c

Change include order to make compile on Centos 5 with DAHDI

2009-02-24 17:02:20 +00:00

app_dahdiscan.c

(closes issue #13480 )

2008-12-19 19:48:00 +00:00

app_db.c

Fix a couple of typos. Initially pointed out by mrobinson.

2006-11-16 23:19:46 +00:00

app_dial.c

Fix app_dial ring groups

2011-05-18 19:56:08 +00:00

app_dictate.c

Merged revisions 68526 via svnmerge from

2007-06-08 22:23:22 +00:00

app_directed_pickup.c

Merged revisions 318671 via svnmerge from

2011-05-13 01:09:40 +00:00

app_directory.c

Modify directory name reading to be interrupted with operator or pound escape.

2010-05-18 18:54:58 +00:00

app_disa.c

Implicitly sending a progress signal breaks some applications.

2009-09-24 19:39:41 +00:00

app_dumpchan.c

merge new_loader_completion branch, including (at least):

2006-08-21 02:11:39 +00:00

app_echo.c

revert ability to exit echo app

2010-03-02 19:36:20 +00:00

app_exec.c

Fix a minor spelling error.

2008-03-11 17:32:17 +00:00

app_externalivr.c

Don't try to free statically allocated memory.

2011-03-08 02:42:00 +00:00

app_festival.c

Lose the CAP_NET_ADMIN at every fork, instead of at startup. Otherwise, if

2009-01-29 22:54:29 +00:00

app_flash.c

Allow dahdichanname to work as advertised.

2009-03-17 20:13:40 +00:00

app_followme.c

Don't create a Local channel if the target extension does not exist.

2010-12-07 00:07:37 +00:00

app_forkcdr.c

(closes issue #12910 )

2008-06-22 02:54:52 +00:00

app_getcpeid.c

Adds DAHDI support alongside Zaptel. DAHDI usage favored, but all Zap stuff should continue working. Release announcement to follow.

2008-06-12 19:08:20 +00:00

app_hasnewvoicemail.c

Check to make sure a value has been given to the VMCOUNT dialplan function.

2007-10-16 14:52:22 +00:00

app_ices.c

Lose the CAP_NET_ADMIN at every fork, instead of at startup. Otherwise, if

2009-01-29 22:54:29 +00:00

app_image.c

merge new_loader_completion branch, including (at least):

2006-08-21 02:11:39 +00:00

app_ivrdemo.c

merge new_loader_completion branch, including (at least):

2006-08-21 02:11:39 +00:00

app_lookupblacklist.c

Picky, picky... show deprecation warning in application help, too (reported via list)

2007-02-26 22:01:23 +00:00

app_lookupcidname.c

Picky, picky... show deprecation warning in application help, too (reported via list)

2007-02-26 22:01:23 +00:00

app_macro.c

The channel redirect function (CLI or AMI) hangs up the call instead of redirecting the call.

2010-11-22 18:46:26 +00:00

app_meetme.c

The meetme CLI command completion leaves conferences mutex locked.

2011-05-20 20:38:22 +00:00

app_milliwatt.c

Fix remotely exploitable stack overrun in Milliwatt

2012-03-15 18:20:49 +00:00

app_mixmonitor.c

Bug fix for MixMonitor involving filenames with '.' not in the extension

2011-03-07 22:02:12 +00:00

app_morsecode.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_mp3.c

Resolve a crash due to an ast_frame not being fully initialized.

2010-01-06 15:18:22 +00:00

app_nbscat.c

Fix cases where the internal poll() was not being used when it needed to be.

2009-03-18 02:09:13 +00:00

app_osplookup.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_page.c

Resolve a logic error that was causing Page() to crash when more than one

2009-01-25 13:33:20 +00:00

app_parkandannounce.c

Use ast_strlen_zero to avoid a crash when a Dial() string isn't passed to ParkAndAnnounce

2010-03-09 19:29:39 +00:00

app_playback.c

Implicitly sending a progress signal breaks some applications.

2009-09-24 19:39:41 +00:00

app_privacy.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_queue.c

Re-fix queue round-robin

2011-05-06 07:55:21 +00:00

app_random.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_read.c

Revert unnecessary indications API change from rev 122314

2009-01-13 19:13:05 +00:00

app_readfile.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_realtime.c

Fix some memory leaks found while looking at how realtime

2008-12-17 20:51:38 +00:00

app_record.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_rpt.c

Typos: recieved => received

2010-12-20 09:13:18 +00:00

app_sayunixtime.c

merge new_loader_completion branch, including (at least):

2006-08-21 02:11:39 +00:00

app_senddtmf.c

Change NULL pointer check to be ast_strlen_zero.

2009-03-24 22:34:45 +00:00

app_sendtext.c

Minor AST_FRAME_TEXT related issues.

2011-02-03 00:02:43 +00:00

app_setcallerid.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_setcdruserfield.c

Expand deprecation warnings from simply warning on use to the builtin documentation.

2007-03-15 23:11:33 +00:00

app_settransfercapability.c

Expand deprecation warnings from simply warning on use to the builtin documentation.

2007-03-15 23:11:33 +00:00

app_skel.c

Revert inadvertent changes to app_skel that occurred when

2008-08-06 00:27:54 +00:00

app_sms.c

Fix a crash in app_sms.

2010-09-30 15:34:29 +00:00

app_softhangup.c

Use strrchr() so SoftHangup will correctly truncate multi-hyphen channel names

2009-09-01 23:04:52 +00:00

app_speech_utils.c

Set quieted flag when receiving a dtmf tone during playback in speechbackground.

2010-05-19 20:01:38 +00:00

app_stack.c

Don't execute a gosub if the arguments is zero-len (not just NULL)

2007-10-15 20:29:35 +00:00

app_system.c

The System() and TrySystem() applications can take a substantial amount of

2007-09-19 19:50:48 +00:00

app_talkdetect.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_test.c

pri loop TestClient/TestServer fails: server SEND DTMF 8

2009-03-26 21:07:32 +00:00

app_transfer.c

merge new_loader_completion branch, including (at least):

2006-08-21 02:11:39 +00:00

app_url.c

Fix documentation to reflect how Url() really works

2006-09-21 20:22:43 +00:00

app_userevent.c

Typo found while fixing issue #16961 .

2010-03-18 17:57:31 +00:00

app_verbose.c

AST-2009-005

2009-08-10 19:15:57 +00:00

app_voicemail.c

If sox fails when processing a voicemail, don't delete the original file.

2011-05-04 16:08:50 +00:00

app_voicemail.exports

Make all the symbols for the C-client callbacks global

2009-08-20 19:53:34 +00:00

app_waitforring.c

add silence gen to wait apps

2010-01-13 17:16:12 +00:00

app_waitforsilence.c

add silence gen to wait apps

2010-01-13 17:16:12 +00:00

app_while.c

ast_waitfordigit() requires that the channel be up, for no good logical

2008-11-14 00:41:37 +00:00

app_zapateller.c

An empty string is an empty callerid ... so zap it. This closes issue #10502 , which was pointed out by dswartz. Thank you, and may the swartz be with you

2007-08-24 22:59:52 +00:00

enter.h

remove extraneous svn:executable properties

2005-11-29 18:24:39 +00:00

leave.h

remove extraneous svn:executable properties

2005-11-29 18:24:39 +00:00

Makefile

remove this, it has been moved to the main Makefile

2008-07-03 22:20:16 +00:00

rpt_flow.pdf

remove extraneous svn:executable properties

2005-11-29 18:24:39 +00:00