diff options
author | Tilghman Lesher <tilghman@meg.abyt.es> | 2010-11-15 07:45:42 +0000 |
---|---|---|
committer | Tilghman Lesher <tilghman@meg.abyt.es> | 2010-11-15 07:45:42 +0000 |
commit | 53357354a4be9348bde2dbbe047e637fb2adf119 (patch) | |
tree | 00d09cb158443498d8703ee09a69c8f8649d272f /funcs | |
parent | 6751c4f29350cb7a1347b7921a62cc457f2f3c46 (diff) |
Merged revisions 294989 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.8
................
r294989 | tilghman | 2010-11-15 01:44:38 -0600 (Mon, 15 Nov 2010) | 15 lines
Merged revisions 294988 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.6.2
........
r294988 | tilghman | 2010-11-15 01:42:39 -0600 (Mon, 15 Nov 2010) | 8 lines
It is possible to crash Asterisk by feeding the curl engine invalid data.
(closes issue #18161)
Reported by: wdoekes
Patches:
20101029__issue18161.diff.txt uploaded by tilghman (license 14)
Tested by: tilghman
........
................
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@294990 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'funcs')
-rw-r--r-- | funcs/func_curl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/funcs/func_curl.c b/funcs/func_curl.c index 92d0b9729..d6c440257 100644 --- a/funcs/func_curl.c +++ b/funcs/func_curl.c @@ -529,8 +529,11 @@ static int acf_curl_helper(struct ast_channel *chan, const char *cmd, char *info struct ast_str *fields = ast_str_create(ast_str_strlen(str) / 2); struct ast_str *values = ast_str_create(ast_str_strlen(str) / 2); int rowcount = 0; - while ((piece = strsep(&remainder, "&"))) { + while (fields && values && (piece = strsep(&remainder, "&"))) { char *name = strsep(&piece, "="); + if (!piece) { + piece = ""; + } ast_uri_decode(piece); ast_uri_decode(name); ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name); |