kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-06-09 03:45:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

callerid: fix signed char causing crash in MDMF parser

Browse Source 
Change rawdata buffer from char to unsigned char to prevent
sign-extension of TLV length bytes >= 0x80. On signed-char
platforms (all Asterisk builds due to -fsigned-char in
configure.ac), these values become negative when assigned to
int, bypass the `if (res > 32)` bounds check, and reach
memcpy as size_t producing a ~18 EB read that immediately
crashes with SIGSEGV.

Affects DAHDI analog (FXO) channels only. Not reachable
via SIP, PRI/BRI, or DTMF-based Caller ID.

Fixes: #1839
This commit is contained in:
Milan Kyselica
2026-03-25 23:29:46 +01:00
committed by Asterisk Development Team
parent da123773c7
commit f9b6509bb0
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
main/callerid.c
View File

@@ -44,7 +44,7 @@
struct callerid_state {
fsk_data fskd;
char rawdata[256];
unsigned char rawdata[256];
short oldstuff[160];
int oldlen;
int pos;
@@ -440,7 +440,7 @@ int callerid_feed_jp(struct callerid_state *cid, unsigned char *ubuf, int len, s
cid->name[0] = '\0';
cid->flags = 0;
res = cid->rawdata[x++];
ast_copy_string(cid->number, &cid->rawdata[x], res+1);
ast_copy_string(cid->number, (const char *) &cid->rawdata[x], res+1);
x += res;
break;
case 0x21: /* additional information */
@@ -782,7 +782,7 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, stru
} else {
/* SDMF */
ast_debug(6, "SDMF Caller*ID spill received\n");
ast_copy_string(cid->number, cid->rawdata + 8, sizeof(cid->number));
ast_copy_string(cid->number, (const char *) cid->rawdata + 8, sizeof(cid->number));
}
if (!strcmp(cid->number, "P")) {
ast_debug(6, "Caller*ID number is private\n");