[Pkg-voip-commits] [asterisk] 01/03: Patch AST-2013-006: a buffer overflow in app_sms

Thu Dec 19 11:00:29 UTC 2013

This is an automated email from the git hooks/post-receive script.

tzafrir pushed a commit to branch squeeze
in repository asterisk.

commit 260ec0a148d232aa690151bc5c9e2d9f5d00446c
Author: Tzafrir Cohen <tzafrir at debian.org>
Date:   Wed Dec 18 16:12:27 2013 +0200

    Patch AST-2013-006: a buffer overflow in app_sms
---
 debian/changelog            |  6 ++++++
 debian/patches/AST-2013-006 | 38 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series       |  1 +
 3 files changed, 45 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bf71ecf..8eff644 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+asterisk (1:1.6.2.9-2+squeeze12) UNRELEASED; urgency=high
+
+  * Patch AST-2013-006: fixes a buffer overflow in app_sms.
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Tue, 17 Dec 2013 20:36:21 +0200
+
 asterisk (1:1.6.2.9-2+squeeze11) oldstable-security; urgency=high
 
   * Patch AST-2013-004 (CVE-2013-5641): chan_sip: crash in ACK to SDP
diff --git a/debian/patches/AST-2013-006 b/debian/patches/AST-2013-006
new file mode 100644
index 0000000..5291cfe
--- /dev/null
+++ b/debian/patches/AST-2013-006
@@ -0,0 +1,38 @@
+Subject: app_sms: BufferOverflow when receiving odd length 16 bit message
+From: Scott Griepentrog <sgriepentrog at digium.com>
+Date: Mon, 16 Dec 2013 15:18:56 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=403853
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-22590
+
+This patch prevents an infinite loop overwriting memory when
+a message is received into the unpacksms16() function, where
+the length of the message is an odd number of bytes.
+
+---
+ apps/app_sms.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apps/app_sms.c b/apps/app_sms.c
+index 08b90d1..75d399a 100644
+--- a/apps/app_sms.c
++++ b/apps/app_sms.c
+@@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
+ 	}
+ 	while (l--) {
+ 		int v = *i++;
+-		if (l--) {
++		if (l && l--) {
+ 			v = (v << 8) + *i++;
+ 		}
+ 		*o++ = v;
+@@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
+ 	} else if (is8bit(dcs)) {
+ 		unpacksms8(i, l, udh, udhl, ud, udl, udhi);
+ 	} else {
++		l += l % 2;
+ 		unpacksms16(i, l, udh, udhl, ud, udl, udhi);
+ 	}
+ 	return l + 1;
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 561d070..17c5d39 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -63,3 +63,4 @@ AST-2012-014
 AST-2012-015
 AST-2013-004
 AST-2013-005
+AST-2013-006

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

