[Pkg-voip-commits] r8800 - in /asterisk/branches/lenny-security/debian: changelog patches/AST-2011-002 patches/series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Tue Feb 22 12:36:41 UTC 2011 

Author: tzafrir
Date: Tue Feb 22 12:36:39 2011
New Revision: 8800

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=8800
Log:
Patch AST-2011-002: Multiple crash vulnerabilities in UDPTL code.

Added:
    asterisk/branches/lenny-security/debian/patches/AST-2011-002
Modified:
    asterisk/branches/lenny-security/debian/changelog
    asterisk/branches/lenny-security/debian/patches/series

Modified: asterisk/branches/lenny-security/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/changelog?rev=8800&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/changelog (original)
+++ asterisk/branches/lenny-security/debian/changelog Tue Feb 22 12:36:39 2011
@@ -1,3 +1,10 @@
+asterisk (1:1.4.21.2~dfsg-3+lenny2.1) oldstable-security; urgency=low
+
+  * Patch AST-2011-002: Multiple crash vulnerabilities in UDPTL code. 
+  * My new @debian.org address
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Tue, 22 Feb 2011 14:23:45 +0200
+
 asterisk (1:1.4.21.2~dfsg-3+lenny2) oldstable-security; urgency=high
 
   [ Tzafrir Cohen ]

Added: asterisk/branches/lenny-security/debian/patches/AST-2011-002
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/AST-2011-002?rev=8800&op=file
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/AST-2011-002 (added)
+++ asterisk/branches/lenny-security/debian/patches/AST-2011-002 Tue Feb 22 12:36:39 2011
@@ -1,0 +1,110 @@
+Subject: Multiple array overflow and crash vulnerabilities in UDPTL code
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=308506
+
+When decoding UDPTL packets, multiple stack and heap based arrays can be
+made to overflow by specially crafted packets. Systems doing T.38 pass
+through or termination are vulnerable.
+
+See also: http://downloads.asterisk.org/pub/security/AST-2011-002.html
+---
+ main/udptl.c |   49 +++++++++++++++++++++++--------------------------
+ 1 files changed, 23 insertions(+), 26 deletions(-)
+
+diff --git a/main/udptl.c b/main/udptl.c
+index 76b4a14..77946f0 100644
+--- a/main/udptl.c
++++ b/main/udptl.c
+@@ -175,37 +175,31 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
+ 	}
+ 	*pvalue = (buf[*len] & 0x3F) << 14;
+ 	(*len)++;
+-	/* Indicate we have a fragment */
++	/* We have a fragment.  Currently we don't process fragments. */
++	if (option_debug) {
++		ast_log(LOG_DEBUG, "UDPTL packet with length greater than 16K received, decoding will fail\n");
++	}
+ 	return 1;
+ }
+ /*- End of function --------------------------------------------------------*/
+ 
+ static int decode_open_type(uint8_t *buf, int limit, int *len, const uint8_t **p_object, int *p_num_octets)
+ {
+-	int octet_cnt;
+-	int octet_idx;
+-	int stat;
+-	int i;
+-	const uint8_t **pbuf;
++	int octet_cnt = 0;
+ 
+-	for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {
+-		if ((stat = decode_length(buf, limit, len, &octet_cnt)) < 0)
+-			return -1;
+-		if (octet_cnt > 0) {
+-			*p_num_octets += octet_cnt;
++	if (decode_length(buf, limit, len, &octet_cnt) != 0)
++		return -1;
+ 
+-			pbuf = &p_object[octet_idx];
+-			i = 0;
+-			/* Make sure the buffer contains at least the number of bits requested */
+-			if ((*len + octet_cnt) > limit)
+-				return -1;
++	if (octet_cnt > 0) {
++		/* Make sure the buffer contains at least the number of bits requested */
++		if ((*len + octet_cnt) > limit)
++			return -1;
+ 
+-			*pbuf = &buf[*len];
+-			*len += octet_cnt;
+-		}
+-		if (stat == 0)
+-			break;
++		*p_num_octets = octet_cnt;
++		*p_object = &buf[*len];
++		*len += octet_cnt;
+ 	}
++
+ 	return 0;
+ }
+ /*- End of function --------------------------------------------------------*/
+@@ -290,8 +284,8 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, int len)
+ 	const uint8_t *data;
+ 	int ifp_len;
+ 	int repaired[16];
+-	const uint8_t *bufs[16];
+-	int lengths[16];
++	const uint8_t *bufs[ARRAY_LEN(s->f) - 1];
++	int lengths[ARRAY_LEN(s->f) - 1];
+ 	int span;
+ 	int entries;
+ 	int ifp_no;
+@@ -321,13 +315,13 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, int len)
+ 			do {
+ 				if ((stat2 = decode_length(buf, len, &ptr, &count)) < 0)
+ 					return -1;
+-				for (i = 0; i < count; i++) {
++				for (i = 0; i < count && total_count + i < ARRAY_LEN(bufs); i++) {
+ 					if ((stat = decode_open_type(buf, len, &ptr, &bufs[total_count + i], &lengths[total_count + i])) != 0)
+ 						return -1;
+ 				}
+-				total_count += count;
++				total_count += i;
+ 			}
+-			while (stat2 > 0);
++			while (stat2 > 0 && total_count < ARRAY_LEN(bufs));
+ 			/* Step through in reverse order, so we go oldest to newest */
+ 			for (i = total_count; i > 0; i--) {
+ 				if (seq_no - i >= s->rx_seq_no) {
+@@ -390,6 +384,9 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, int len)
+ 		if (ptr + 1 > len)
+ 			return -1;
+ 		entries = buf[ptr++];
++		if (entries > MAX_FEC_ENTRIES) {
++			return -1;
++		}
+ 		s->rx[x].fec_entries = entries;
+ 
+ 		/* Decode the elements */
+-- 
+1.7.2.3
+

Modified: asterisk/branches/lenny-security/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/lenny-security/debian/patches/series?rev=8800&op=diff
==============================================================================
--- asterisk/branches/lenny-security/debian/patches/series (original)
+++ asterisk/branches/lenny-security/debian/patches/series Tue Feb 22 12:36:39 2011
@@ -102,3 +102,4 @@
 AST-2009-010
 ast_uri_validhex
 AST-2011-001
+AST-2011-002

More information about the Pkg-voip-commits mailing list