From 2477b9e3d76ecf7954abe063dc9262ee500f2966 Mon Sep 17 00:00:00 2001 From: Mike Jerris Date: Mon, 6 Mar 2017 12:51:29 -0600 Subject: [PATCH] FS-10001: [core] Fix Buffer overflow collecting digits --- src/mod/applications/mod_dptools/mod_dptools.c | 3 +++ src/switch_ivr.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/src/mod/applications/mod_dptools/mod_dptools.c b/src/mod/applications/mod_dptools/mod_dptools.c index fb397fa972..d126101e78 100644 --- a/src/mod/applications/mod_dptools/mod_dptools.c +++ b/src/mod/applications/mod_dptools/mod_dptools.c @@ -904,6 +904,7 @@ SWITCH_STANDARD_APP(eavesdrop_function) if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) { switch_ivr_play_file(session, NULL, file, NULL); } + buf[0] = '\0'; switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0); continue; } @@ -923,6 +924,7 @@ SWITCH_STANDARD_APP(eavesdrop_function) if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) { switch_ivr_play_file(session, NULL, file, NULL); } + buf[0] = '\0'; switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0); } } @@ -931,6 +933,7 @@ SWITCH_STANDARD_APP(eavesdrop_function) if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_idle"))) { switch_ivr_play_file(session, NULL, file, NULL); } + buf[0] = '\0'; switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 2000, 0, 0); } } diff --git a/src/switch_ivr.c b/src/switch_ivr.c index 83965c6df3..765e77a4d7 100644 --- a/src/switch_ivr.c +++ b/src/switch_ivr.c @@ -1304,6 +1304,11 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_collect_digits_count(switch_core_sess int sval = 0; const char *var; + + if (x >= buflen || x >= maxdigits) { + return SWITCH_STATUS_FALSE; + } + if ((var = switch_channel_get_variable(channel, SWITCH_SEND_SILENCE_WHEN_IDLE_VARIABLE)) && (sval = atoi(var))) { switch_core_session_get_read_impl(session, &imp);