[Pkg-voip-commits] [asterisk] 01/01: Patch AST-2013-006: fixes a buffer overflow in app_sms.

Tue Dec 17 00:47:30 UTC 2013

This is an automated email from the git hooks/post-receive script.

tzafrir pushed a commit to branch wheezy
in repository asterisk.

commit 6cda9fb18226ad6342bb0d88d9d13d30f3cf1494
Author: Tzafrir Cohen <tzafrir at debian.org>
Date:   Tue Dec 17 02:06:29 2013 +0200

    Patch AST-2013-006: fixes a buffer overflow in app_sms.
---
 debian/changelog            |  6 ++++++
 debian/patches/AST-2013-006 | 38 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series       |  1 +
 3 files changed, 45 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 36d6083..612656f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+asterisk (1:1.8.13.1~dfsg-3+deb7u2) UNRELEASED; urgency=high
+
+  * Patch AST-2013-006: fixes a buffer overflow in app_sms.
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Tue, 17 Dec 2013 02:05:19 +0200
+
 asterisk (1:1.8.13.1~dfsg-3+deb7u1) stable-security; urgency=high
 
   * Patch AST-2013-004 (CVE-2013-5641): chan_sip: crash in ACK to SDP
diff --git a/debian/patches/AST-2013-006 b/debian/patches/AST-2013-006
new file mode 100644
index 0000000..5291cfe
--- /dev/null
+++ b/debian/patches/AST-2013-006
@@ -0,0 +1,38 @@
+Subject: app_sms: BufferOverflow when receiving odd length 16 bit message
+From: Scott Griepentrog <sgriepentrog at digium.com>
+Date: Mon, 16 Dec 2013 15:18:56 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=403853
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-22590
+
+This patch prevents an infinite loop overwriting memory when
+a message is received into the unpacksms16() function, where
+the length of the message is an odd number of bytes.
+
+---
+ apps/app_sms.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apps/app_sms.c b/apps/app_sms.c
+index 08b90d1..75d399a 100644
+--- a/apps/app_sms.c
++++ b/apps/app_sms.c
+@@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
+ 	}
+ 	while (l--) {
+ 		int v = *i++;
+-		if (l--) {
++		if (l && l--) {
+ 			v = (v << 8) + *i++;
+ 		}
+ 		*o++ = v;
+@@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
+ 	} else if (is8bit(dcs)) {
+ 		unpacksms8(i, l, udh, udhl, ud, udl, udhi);
+ 	} else {
++		l += l % 2;
+ 		unpacksms16(i, l, udh, udhl, ud, udl, udhi);
+ 	}
+ 	return l + 1;
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 7692743..3501811 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -36,3 +36,4 @@ bluetooth_bind
 fix_xmpp_19532
 AST-2013-004
 AST-2013-005
+AST-2013-006

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

