[Pkg-voip-commits] r4236 - in asterisk/branches/sarge/debian: . patches

paravoid at alioth.debian.org paravoid at alioth.debian.org
Thu Aug 23 00:47:40 UTC 2007 

Author: paravoid
Date: 2007-08-23 00:47:39 +0000 (Thu, 23 Aug 2007)
New Revision: 4236

Added:
   asterisk/branches/sarge/debian/patches/99_ASA-2007-014.dpatch
Modified:
   asterisk/branches/sarge/debian/changelog
Log:
  - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
    Ensure that when encoding the contents of an ast_frame into an iax_frame,
    that the size of the destination buffer is known in the iax_frame so that
    code won't write past the end of the allocated buffer when sending
    outgoing frames. (ASA-2007-014, CVE-2007-3762)

Modified: asterisk/branches/sarge/debian/changelog
===================================================================
--- asterisk/branches/sarge/debian/changelog	2007-08-23 00:46:47 UTC (rev 4235)
+++ asterisk/branches/sarge/debian/changelog	2007-08-23 00:47:39 UTC (rev 4236)
@@ -7,8 +7,13 @@
     - manager.c: Don't crash if a manager connection provides a username that
       exists in manager.conf but does not have a password, and also requests
       MD5 authentication. (ASA-2007-012, CVE-2007-2294)
+    - channels/iax2-parser.h, channels/chan_iax2.c, channels/iax2-parser.c:
+      Ensure that when encoding the contents of an ast_frame into an iax_frame,
+      that the size of the destination buffer is known in the iax_frame so that
+      code won't write past the end of the allocated buffer when sending
+      outgoing frames. (ASA-2007-014, CVE-2007-3762)
 
- -- Faidon Liambotis <paravoid at debian.org>  Thu, 23 Aug 2007 03:46:28 +0300
+ -- Faidon Liambotis <paravoid at debian.org>  Thu, 23 Aug 2007 03:47:15 +0300
 
 asterisk (1:1.0.7.dfsg.1-2sarge4) stable-security; urgency=high
 

Added: asterisk/branches/sarge/debian/patches/99_ASA-2007-014.dpatch
===================================================================
--- asterisk/branches/sarge/debian/patches/99_ASA-2007-014.dpatch	                        (rev 0)
+++ asterisk/branches/sarge/debian/patches/99_ASA-2007-014.dpatch	2007-08-23 00:47:39 UTC (rev 4236)
@@ -0,0 +1,74 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 99_ASA-2007-014.dpatch by Faidon Liambotis <paravoid at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Ensure that when encoding the contents of an ast_frame into an
+## DP: iax_frame, that the size of the destination buffer is known in the
+## DP: iax_frame so that code won't write past the end of the allocated
+## DP: buffer when sending outgoing frames.
+## DP: Backported to v1.0, original is r75444 in upstream's SVN
+## DP: Security fix, ASA-2007-014, CVE-2007-3762
+
+ at DPATCH@
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c asterisk-1.0.7.dfsg.1/channels/chan_iax2.c
+--- asterisk-1.0.7.dfsg.1~/channels/chan_iax2.c	2007-08-23 03:07:58.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2007-08-23 03:13:19.000000000 +0300
+@@ -3082,7 +3082,9 @@
+ 	int sendmini=0;
+ 	unsigned int lastsent;
+ 	unsigned int fts;
+-		
++
++	frb.fr2.afdatalen = sizeof(frb.buffer);
++
+ 	if (!pvt) {
+ 		ast_log(LOG_WARNING, "No private structure for packet?\n");
+ 		return -1;
+@@ -5043,6 +5045,7 @@
+ 
+ 	dblbuf[0] = 0;	/* Keep GCC from whining */
+ 	fr.callno = 0;
++	fr.afdatalen = 4096;
+ 	
+ 	res = recvfrom(netsocket, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
+ 	if (res < 0) {
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/iax2-parser.c asterisk-1.0.7.dfsg.1/channels/iax2-parser.c
+--- asterisk-1.0.7.dfsg.1~/channels/iax2-parser.c	2004-10-25 20:57:25.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/iax2-parser.c	2007-08-23 03:11:16.000000000 +0300
+@@ -688,8 +688,14 @@
+ 	fr->af.delivery.tv_sec = 0;
+ 	fr->af.delivery.tv_usec = 0;
+ 	fr->af.data = fr->afdata;
+-	if (fr->af.datalen) 
+-		memcpy(fr->af.data, f->data, fr->af.datalen);
++	if (fr->af.datalen) {
++		size_t copy_len = fr->af.datalen;
++		if (copy_len > fr->afdatalen) {
++			ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n",
++				(int) fr->afdatalen, (int) fr->af.datalen);
++			copy_len = fr->afdatalen;
++		}
++		memcpy(fr->af.data, f->data, copy_len);
+ }
+ 
+ struct iax_frame *iax_frame_new(int direction, int datalen)
+@@ -697,6 +703,7 @@
+ 	struct iax_frame *fr;
+ 	fr = malloc((int)sizeof(struct iax_frame) + datalen);
+ 	if (fr) {
++		fr->afdatalen = datalen;
+ 		fr->direction = direction;
+ 		fr->retrans = -1;
+ 		frames++;
+diff -urNad asterisk-1.0.7.dfsg.1~/channels/iax2-parser.h asterisk-1.0.7.dfsg.1/channels/iax2-parser.h
+--- asterisk-1.0.7.dfsg.1~/channels/iax2-parser.h	2004-07-07 12:34:01.000000000 +0300
++++ asterisk-1.0.7.dfsg.1/channels/iax2-parser.h	2007-08-23 03:08:31.000000000 +0300
+@@ -98,6 +98,8 @@
+ 	struct iax_frame *prev;
+ 	/* Actual, isolated frame header */
+ 	struct ast_frame af;
++	/* Amount of data _allocated_ for afdata */
++	size_t afdatalen;
+ 	unsigned char unused[AST_FRIENDLY_OFFSET];
+ 	unsigned char afdata[0];	/* Data for frame */
+ };


Property changes on: asterisk/branches/sarge/debian/patches/99_ASA-2007-014.dpatch
___________________________________________________________________
Name: svn:executable
   + *

More information about the Pkg-voip-commits mailing list