diff options
author | Matthew Jordan <mjordan@digium.com> | 2012-03-15 18:55:54 +0000 |
---|---|---|
committer | Matthew Jordan <mjordan@digium.com> | 2012-03-15 18:55:54 +0000 |
commit | c61d49d5cc592e07208fb6d85ba6e6edae455aff (patch) | |
tree | 69a73cdb1436a4d353bc930caaa3a5fb37e460b5 /apps | |
parent | 31462e7bd6ee617c4e80302e050e0e5c97a7f5eb (diff) |
Fix remotely exploitable stack overrun in Milliwatt
Milliwatt is vulnerable to a remotely exploitable stack overrun when using
the 'o' option. This occurs due to the milliwatt_generate function not
accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
samples it can put in the output buffer.
This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
when determining the maximum number of samples allowed. Note that at no
point is remote code execution possible. The data that is written into the
buffer is the pre-defined Milliwatt data, and not custom data.
(closes issue ASTERISK-19541)
Reported by: Russell Bryant
Tested by: Matt Jordan
Patches:
milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
Note that this patch was written by Russell, even though Matt uploaded it
........
Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
Merged revisions 359656 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........
Merged revisions 359694 from http://svn.asterisk.org/svn/asterisk/branches/10
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@359704 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'apps')
-rw-r--r-- | apps/app_milliwatt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/app_milliwatt.c b/apps/app_milliwatt.c index 421414126..75d8037d6 100644 --- a/apps/app_milliwatt.c +++ b/apps/app_milliwatt.c @@ -78,7 +78,7 @@ static void milliwatt_release(struct ast_channel *chan, void *data) static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples) { unsigned char buf[AST_FRIENDLY_OFFSET + 640]; - const int maxsamples = ARRAY_LEN(buf); + const int maxsamples = ARRAY_LEN(buf) - (AST_FRIENDLY_OFFSET / sizeof(buf[0])); int i, *indexp = (int *) data; struct ast_frame wf = { .frametype = AST_FRAME_VOICE, |