[Pkg-voip-commits] [asterisk] 01/03: Patch AST-2013-006: a buffer overflow in app_sms
tzafrir at debian.org
tzafrir at debian.org
Thu Dec 19 11:00:29 UTC 2013
This is an automated email from the git hooks/post-receive script.
tzafrir pushed a commit to branch squeeze
in repository asterisk.
commit 260ec0a148d232aa690151bc5c9e2d9f5d00446c
Author: Tzafrir Cohen <tzafrir at debian.org>
Date: Wed Dec 18 16:12:27 2013 +0200
Patch AST-2013-006: a buffer overflow in app_sms
---
debian/changelog | 6 ++++++
debian/patches/AST-2013-006 | 38 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index bf71ecf..8eff644 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+asterisk (1:1.6.2.9-2+squeeze12) UNRELEASED; urgency=high
+
+ * Patch AST-2013-006: fixes a buffer overflow in app_sms.
+
+ -- Tzafrir Cohen <tzafrir at debian.org> Tue, 17 Dec 2013 20:36:21 +0200
+
asterisk (1:1.6.2.9-2+squeeze11) oldstable-security; urgency=high
* Patch AST-2013-004 (CVE-2013-5641): chan_sip: crash in ACK to SDP
diff --git a/debian/patches/AST-2013-006 b/debian/patches/AST-2013-006
new file mode 100644
index 0000000..5291cfe
--- /dev/null
+++ b/debian/patches/AST-2013-006
@@ -0,0 +1,38 @@
+Subject: app_sms: BufferOverflow when receiving odd length 16 bit message
+From: Scott Griepentrog <sgriepentrog at digium.com>
+Date: Mon, 16 Dec 2013 15:18:56 +0000
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=403853
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-22590
+
+This patch prevents an infinite loop overwriting memory when
+a message is received into the unpacksms16() function, where
+the length of the message is an odd number of bytes.
+
+---
+ apps/app_sms.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/apps/app_sms.c b/apps/app_sms.c
+index 08b90d1..75d399a 100644
+--- a/apps/app_sms.c
++++ b/apps/app_sms.c
+@@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
+ }
+ while (l--) {
+ int v = *i++;
+- if (l--) {
++ if (l && l--) {
+ v = (v << 8) + *i++;
+ }
+ *o++ = v;
+@@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
+ } else if (is8bit(dcs)) {
+ unpacksms8(i, l, udh, udhl, ud, udl, udhi);
+ } else {
++ l += l % 2;
+ unpacksms16(i, l, udh, udhl, ud, udl, udhi);
+ }
+ return l + 1;
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 561d070..17c5d39 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -63,3 +63,4 @@ AST-2012-014
AST-2012-015
AST-2013-004
AST-2013-005
+AST-2013-006
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list