Fix potential for stack overflows in app_chanspy.c
When using the 'g' or 'e' options, the stack allocations that were used could cause a stack overflow if a spyer stayed on the line long enough without actually successfully spying on anyone. The problem has been corrected by using static buffers and copying the contents of the appropriate strings into them instead of using functions like alloca or ast_strdupa git-svn-id: http://svn.digium.com/svn/asterisk/trunk@174805 f38db490-d61c-443f-a65b-d21fe96a405b
This commit is contained in:
mmichelson
parent
960ba29f0e
commit
11cc929d0f
|
|
@ -829,22 +829,9 @@ static int common_exec(struct ast_channel *chan, struct ast_flags *flags,
|
|||
chanspy_ds_free(peer_chanspy_ds), prev = peer,
|
||||
peer_chanspy_ds = next_chanspy_ds ? next_chanspy_ds :
|
||||
next_channel(chan, prev, spec, exten, context, &chanspy_ds), next_chanspy_ds = NULL) {
|
||||
const char *group;
|
||||
int igrp = !mygroup;
|
||||
char *groups[NUM_SPYGROUPS];
|
||||
char *mygroups[NUM_SPYGROUPS];
|
||||
int num_groups = 0;
|
||||
char dup_group[512];
|
||||
int num_mygroups = 0;
|
||||
char *dup_mygroup;
|
||||
int x;
|
||||
int y;
|
||||
char *s;
|
||||
char *buffer;
|
||||
char *end;
|
||||
char *ext;
|
||||
char *form_enforced;
|
||||
int ienf = !myenforced;
|
||||
char *s;
|
||||
|
||||
peer = peer_chanspy_ds->chan;
|
||||
|
||||
|
|
@ -873,7 +860,16 @@ static int common_exec(struct ast_channel *chan, struct ast_flags *flags,
|
|||
}
|
||||
|
||||
if (mygroup) {
|
||||
dup_mygroup = ast_strdupa(mygroup);
|
||||
int num_groups = 0;
|
||||
int num_mygroups = 0;
|
||||
char dup_group[512];
|
||||
char dup_mygroup[512];
|
||||
char *groups[NUM_SPYGROUPS];
|
||||
char *mygroups[NUM_SPYGROUPS];
|
||||
const char *group;
|
||||
int x;
|
||||
int y;
|
||||
ast_copy_string(dup_mygroup, mygroup, sizeof(dup_mygroup));
|
||||
num_mygroups = ast_app_separate_args(dup_mygroup, ':', mygroups,
|
||||
ARRAY_LEN(mygroups));
|
||||
|
||||
|
|
@ -899,35 +895,28 @@ static int common_exec(struct ast_channel *chan, struct ast_flags *flags,
|
|||
}
|
||||
|
||||
if (myenforced) {
|
||||
char ext[AST_CHANNEL_NAME + 3];
|
||||
char buffer[512];
|
||||
char *end;
|
||||
|
||||
/* We don't need to allocate more space than just the
|
||||
length of (peer->name) for ext as we will cut the
|
||||
channel name's ending before copying into ext */
|
||||
snprintf(buffer, sizeof(buffer) - 1, ":%s:", myenforced);
|
||||
|
||||
ext = alloca(strlen(peer->name));
|
||||
|
||||
form_enforced = alloca(strlen(myenforced) + 3);
|
||||
|
||||
strcpy(form_enforced, ":");
|
||||
strcat(form_enforced, myenforced);
|
||||
strcat(form_enforced, ":");
|
||||
|
||||
buffer = ast_strdupa(peer->name);
|
||||
|
||||
if ((end = strchr(buffer, '-'))) {
|
||||
ast_copy_string(ext + 1, peer->name, sizeof(ext) - 1);
|
||||
if ((end = strchr(ext, '-'))) {
|
||||
*end++ = ':';
|
||||
*end = '\0';
|
||||
}
|
||||
|
||||
strcpy(ext, ":");
|
||||
strcat(ext, buffer);
|
||||
ext[0] = ':';
|
||||
|
||||
if (strcasestr(form_enforced, ext))
|
||||
if (strcasestr(buffer, ext)) {
|
||||
ienf = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (!ienf)
|
||||
if (!ienf) {
|
||||
continue;
|
||||
}
|
||||
|
||||
strcpy(peer_name, "spy-");
|
||||
strncat(peer_name, peer->name, AST_NAME_STRLEN - 4 - 1);
|
||||
|
|
|
|||
Reference in New Issue