diff options
| author | Alexei Gradinari <alex2grad@gmail.com> | 2016-04-07 12:37:43 -0400 |
|---|---|---|
| committer | Joshua Colp <jcolp@digium.com> | 2016-04-07 17:10:30 -0500 |
| commit | bc320df173623ab6e4b11c4e6bfd3a4bc7d023f3 (patch) | |
| tree | b4653ee3fe3ee6a11a6784f3a75983c6fb97b467 /apps | |
| parent | 8207372e663bdaa44acbe8fd6a262eead5532ad8 (diff) | |
app_voicemail/IMAP: IMAP access FATAL error: Out of memory
Sometimes uw-imap function 'mail_fetchbody' returns huge len
which then pass to uw-imap function 'rfc822_base64'.
uw-imap tries to allocate huge memory and abort() on fail.
This patch check the len.
If the len more than max size (128 Mbytes) log error.
This patch also set variables len, newlen to avoid uninizialezed len.
This patch also check pointer returned by rfc822_base64.
ASTERISK-25899 #close
Change-Id: I4a0e7d655f11abef6a5224e2169df6d5c1f1caca
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/app_voicemail.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/apps/app_voicemail.c b/apps/app_voicemail.c index 0755c44b0..ce99cc9eb 100644 --- a/apps/app_voicemail.c +++ b/apps/app_voicemail.c @@ -580,6 +580,8 @@ static AST_LIST_HEAD_STATIC(vmstates, vmstate); #define INTRO "vm-intro" +#define MAX_MAIL_BODY_CONTENT_SIZE 134217728L // 128 Mbyte + #define MAXMSG 100 #define MAXMSGLIMIT 9999 @@ -3624,8 +3626,8 @@ static int save_body(BODY *body, struct vm_state *vms, char *section, char *form char *body_content; char *body_decoded; char *fn = is_intro ? vms->introfn : vms->fn; - unsigned long len; - unsigned long newlen; + unsigned long len = 0; + unsigned long newlen = 0; char filename[256]; if (!body || body == NIL) @@ -3634,12 +3636,18 @@ static int save_body(BODY *body, struct vm_state *vms, char *section, char *form ast_mutex_lock(&vms->lock); body_content = mail_fetchbody(vms->mailstream, vms->msgArray[vms->curmsg], section, &len); ast_mutex_unlock(&vms->lock); - if (body_content != NIL) { + if (len > MAX_MAIL_BODY_CONTENT_SIZE) { + ast_log(AST_LOG_ERROR, + "Msgno %ld, section %s. The body's content size %ld is huge (max %ld). User:%s, mailbox %s\n", + vms->msgArray[vms->curmsg], section, len, MAX_MAIL_BODY_CONTENT_SIZE, vms->imapuser, vms->username); + return -1; + } + if (body_content != NIL && len) { snprintf(filename, sizeof(filename), "%s.%s", fn, format); /* ast_debug(1, body_content); */ body_decoded = rfc822_base64((unsigned char *) body_content, len, &newlen); /* If the body of the file is empty, return an error */ - if (!newlen) { + if (!newlen || !body_decoded) { return -1; } write_file(filename, (char *) body_decoded, newlen); |