Bug#315532: asterisk: Buffer overflow in command line parser

Santiago José Ruano Rincón santiago@unicauca.edu.co
Wed, 29 Jun 2005 12:05:00 -0500


--=-n4AYuSluqT2Ru9PwCfxv
Content-Type: multipart/mixed; boundary="=-bJWnu1Qd8T9LrEKUS3XH"


--=-bJWnu1Qd8T9LrEKUS3XH
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

here is a dpatch to solve this bug, build with the one that Russell
Bryant sent to the asterisk-devel mailing list.

I've build the asterisk packages, but i haven't tried to exploit the bug
and I won't be able to do that in some days. Please, anyone could help
me to test it?

Kind regards,

--=20
Santiago Ruano Rinc=F3n
Grupo GNU/Linux de la Universidad del Cauca

Huella digital llave GPG:=20
3821 4FB5 774A 611D 31E4  B268 414B 8423 6FEC CDE0

--=-bJWnu1Qd8T9LrEKUS3XH
Content-Disposition: attachment; filename=10_debian-cli.dpatch
Content-Type: application/x-shellscript; name=10_debian-cli.dpatch
Content-Transfer-Encoding: base64

IyEgL2Jpbi9zaCAvdXNyL3NoYXJlL2RwYXRjaC9kcGF0Y2gtcnVuCiMjIDEwX2RlYmlhbi1jbGku
ZHBhdGNoIGJ5IFNhbnRpYWdvIFJ1YW5vIFJpbmPzbiA8c2FudGlhZ29AdW5pY2F1Y2EuZWR1LmNv
PgojIwojIyBBbGwgbGluZXMgYmVnaW5uaW5nIHdpdGggYCMjIERQOicgYXJlIGEgZGVzY3JpcHRp
b24gb2YgdGhlIHBhdGNoLgojIyBEUDogUGF0Y2ggZm9yIHRoZSBidWdneSBwYXJzZV9hcmdzKCkg
cm91dGluZQoKQERQQVRDSEAKCmRpZmYgLXVyTiBhc3Rlcmlzay0xLjAuNy9jbGkuYyBhc3Rlcmlz
ay0xLjAuNy0xL2NsaS5jCi0tLSBhc3Rlcmlzay0xLjAuNy9jbGkuYwkyMDA0LTEyLTMwIDE3OjMw
OjA5LjAwMDAwMDAwMCAtMDUwMAorKysgYXN0ZXJpc2stMS4wLjctMS9jbGkuYwkyMDA1LTA2LTI4
IDE5OjAzOjE5LjAwMDAwMDAwMCAtMDUwMApAQCAtOTM0LDcyICs5MzQsNjIgQEAKIAlyZXR1cm4g
UkVTVUxUX1NVQ0NFU1M7CiB9CiAKLXN0YXRpYyBjaGFyICpwYXJzZV9hcmdzKGNoYXIgKnMsIGlu
dCAqbWF4LCBjaGFyICphcmd2W10pCitzdGF0aWMgY2hhciAqcGFyc2VfYXJncyhjaGFyICpzLCBp
bnQgKmFyZ2MsIGNoYXIgKmFyZ3ZbXSwgaW50IG1heCkKIHsKIAljaGFyICpkdXAsICpjdXI7Ci0J
aW50IHg9MDsKLQlpbnQgcXVvdGVkPTA7Ci0JaW50IGVzY2FwZWQ9MDsKLQlpbnQgd2hpdGVzcGFj
ZT0xOwotCi0JZHVwID0gc3RyZHVwKHMpOwotCWlmIChkdXApIHsKLQkJY3VyID0gZHVwOwotCQl3
aGlsZSgqcykgewotCQkJc3dpdGNoKCpzKSB7Ci0JCQljYXNlICciJzoKLQkJCQkvKiBJZiBpdCdz
IGVzY2FwZWQsIHB1dCBhIGxpdGVyYWwgcXVvdGUgKi8KLQkJCQlpZiAoZXNjYXBlZCkgCi0JCQkJ
CWdvdG8gbm9ybWFsOwotCQkJCWVsc2UgCi0JCQkJCXF1b3RlZCA9ICFxdW90ZWQ7Ci0JCQkJaWYg
KHF1b3RlZCAmJiB3aGl0ZXNwYWNlKSB7Ci0JCQkJCS8qIElmIHdlJ3JlIHN0YXJ0aW5nIGEgcXVv
dGUsIGNvbWluZyBvZmYgd2hpdGUgc3BhY2Ugc3RhcnQgYSBuZXcgd29yZCwgdG9vICovCi0JCQkJ
CWFyZ3ZbeCsrXSA9IGN1cjsKLQkJCQkJd2hpdGVzcGFjZT0wOwotCQkJCX0KLQkJCQllc2NhcGVk
ID0gMDsKLQkJCQlicmVhazsKLQkJCWNhc2UgJyAnOgotCQkJY2FzZSAnXHQnOgotCQkJCWlmICgh
cXVvdGVkICYmICFlc2NhcGVkKSB7Ci0JCQkJCS8qIElmIHdlJ3JlIG5vdCBxdW90ZWQsIG1hcmsg
dGhpcyBhcyB3aGl0ZXNwYWNlLCBhbmQKLQkJCQkJICAgZW5kIHRoZSBwcmV2aW91cyBhcmd1bWVu
dCAqLwotCQkJCQl3aGl0ZXNwYWNlID0gMTsKLQkJCQkJKihjdXIrKykgPSAnXDAnOwotCQkJCX0g
ZWxzZQotCQkJCQkvKiBPdGhlcndpc2UsIGp1c3QgdHJlYXQgaXQgYXMgYW55dGhpbmcgZWxzZSAq
LyAKLQkJCQkJZ290byBub3JtYWw7Ci0JCQkJYnJlYWs7Ci0JCQljYXNlICdcXCc6Ci0JCQkJLyog
SWYgd2UncmUgZXNjYXBlZCwgcHJpbnQgYSBsaXRlcmFsLCBvdGhlcndpc2UgZW5hYmxlIGVzY2Fw
aW5nICovCi0JCQkJaWYgKGVzY2FwZWQpIHsKLQkJCQkJZ290byBub3JtYWw7Ci0JCQkJfSBlbHNl
IHsKLQkJCQkJZXNjYXBlZD0xOworCWludCB4ID0gMDsKKwlpbnQgcXVvdGVkID0gMDsKKwlpbnQg
ZXNjYXBlZCA9IDA7CisJaW50IHdoaXRlc3BhY2UgPSAxOworCisJaWYgKCEoZHVwID0gc3RyZHVw
KHMpKSkKKwkJcmV0dXJuIE5VTEw7CisKKwljdXIgPSBkdXA7CisJd2hpbGUgKCpzKSB7CisJCWlm
ICgoKnMgPT0gJyInKSAmJiAhZXNjYXBlZCkgeworCQkJcXVvdGVkID0gIXF1b3RlZDsKKwkJCWlm
IChxdW90ZWQgJiB3aGl0ZXNwYWNlKSB7CisJCQkJLyogSWYgd2UncmUgc3RhcnRpbmcgYSBxdW90
ZWQgc3RyaW5nLCBjb21pbmcgb2ZmIHdoaXRlIHNwYWNlLCBzdGFydCBhIG5ldyBhcmd1bWVudCAq
LworCQkJCWlmICh4ID49IChtYXggLSAxKSkgeworCQkJCQlhc3RfbG9nKExPR19XQVJOSU5HLCAi
VG9vIG1hbnkgYXJndW1lbnRzLCB0cnVuY2F0aW5nXG4iKTsKKwkJCQkJYnJlYWs7CiAJCQkJfQot
CQkJCWJyZWFrOwotCQkJZGVmYXVsdDoKLW5vcm1hbDoKLQkJCQlpZiAod2hpdGVzcGFjZSkgewot
CQkJCQlpZiAoeCA+PSBBU1RfTUFYX0FSR1MgLTEpIHsKLQkJCQkJCWFzdF9sb2coTE9HX1dBUk5J
TkcsICJUb28gbWFueSBhcmd1bWVudHMsIHRydW5jYXRpbmdcbiIpOwotCQkJCQkJYnJlYWs7Ci0J
CQkJCX0KLQkJCQkJLyogQ29taW5nIG9mZiBvZiB3aGl0ZXNwYWNlLCBzdGFydCB0aGUgbmV4dCBh
cmd1bWVudCAqLwotCQkJCQlhcmd2W3grK10gPSBjdXI7Ci0JCQkJCXdoaXRlc3BhY2U9MDsKKwkJ
CQlhcmd2W3grK10gPSBjdXI7CisJCQkJd2hpdGVzcGFjZSA9IDA7CisJCQl9CisJCQllc2NhcGVk
ID0gMDsKKwkJfSBlbHNlIGlmICgoKCpzID09ICcgJykgfHwgKCpzID09ICdcdCcpKSAmJiAhKHF1
b3RlZCB8fCBlc2NhcGVkKSkgeworCQkJLyogSWYgd2UgYXJlIG5vdCBhbHJlYWR5IGluIHdoaXRl
c3BhY2UsIGFuZCBub3QgaW4gYSBxdW90ZWQgc3RyaW5nIG9yCisJCQkgICBwcm9jZXNzaW5nIGFu
IGVzY2FwZSBzZXF1ZW5jZSwgYW5kIGp1c3QgZW50ZXJlZCB3aGl0ZXNwYWNlLCB0aGVuCisJCQkg
ICBmaW5hbGl6ZSB0aGUgcHJldmlvdXMgYXJndW1lbnQgYW5kIHJlbWVtYmVyIHRoYXQgd2UgYXJl
IGluIHdoaXRlc3BhY2UKKwkJCSovCisJCQlpZiAoIXdoaXRlc3BhY2UpIHsKKwkJCQkqKGN1cisr
KSA9ICdcMCc7CisJCQkJd2hpdGVzcGFjZSA9IDE7CisJCQl9CisJCX0gZWxzZSBpZiAoKCpzID09
ICdcXCcpICYmICFlc2NhcGVkKSB7CisJCQllc2NhcGVkID0gMTsKKwkJfSBlbHNlIHsKKwkJCWlm
ICh3aGl0ZXNwYWNlKSB7CisJCQkJLyogSWYgd2UgYXJlIGNvbWluZyBvdXQgb2Ygd2hpdGVzcGFj
ZSwgc3RhcnQgYSBuZXcgYXJndW1lbnQgKi8KKwkJCQlpZiAoeCA+PSAobWF4IC0gMSkpIHsKKwkJ
CQkJYXN0X2xvZyhMT0dfV0FSTklORywgIlRvbyBtYW55IGFyZ3VtZW50cywgdHJ1bmNhdGluZ1xu
Iik7CisJCQkJCWJyZWFrOwogCQkJCX0KLQkJCQkqKGN1cisrKSA9ICpzOwotCQkJCWVzY2FwZWQ9
MDsKKwkJCQlhcmd2W3grK10gPSBjdXI7CisJCQkJd2hpdGVzcGFjZSA9IDA7CiAJCQl9Ci0JCQlz
Kys7CisJCQkqKGN1cisrKSA9ICpzOworCQkJZXNjYXBlZCA9IDA7CiAJCX0KLQkJLyogTnVsbCB0
ZXJtaW5hdGUgKi8KLQkJKihjdXIrKykgPSAnXDAnOwotCQlhcmd2W3hdID0gTlVMTDsKLQkJKm1h
eCA9IHg7CisJCXMrKzsKIAl9CisJLyogTnVsbCB0ZXJtaW5hdGUgKi8KKwkqKGN1cisrKSA9ICdc
MCc7CisJYXJndlt4XSA9IE5VTEw7CisJKmFyZ2MgPSB4OworCiAJcmV0dXJuIGR1cDsKIH0KIApA
QCAtMTA3MSw3ICsxMDYxLDcgQEAKIAljaGFyIG1hdGNoc3RyWzgwXTsKIAljaGFyICpmdWxsY21k
ID0gTlVMTDsKIAotCWlmICgoZHVwID0gcGFyc2VfYXJncyh0ZXh0LCAmeCwgYXJndikpKSB7CisJ
aWYgKChkdXAgPSBwYXJzZV9hcmdzKHRleHQsICZ4LCBhcmd2LCBzaXplb2YoYXJndikgLyBzaXpl
b2YoYXJndlswXSkpKSkgewogCQlqb2luKG1hdGNoc3RyLCBzaXplb2YobWF0Y2hzdHIpLCBhcmd2
KTsKIAkJaWYgKGxvY2spCiAJCQlhc3RfbXV0ZXhfbG9jaygmY2xpbG9jayk7CkBAIC0xMTQyLDgg
KzExMzIsOCBAQAogCXN0cnVjdCBhc3RfY2xpX2VudHJ5ICplOwogCWludCB4OwogCWNoYXIgKmR1
cDsKLQl4ID0gQVNUX01BWF9BUkdTOwotCWlmICgoZHVwID0gcGFyc2VfYXJncyhzLCAmeCwgYXJn
dikpKSB7CisKKwlpZiAoKGR1cCA9IHBhcnNlX2FyZ3MocywgJngsIGFyZ3YsIHNpemVvZihhcmd2
KSAvIHNpemVvZihhcmd2WzBdKSkpKSB7CiAJCS8qIFdlIG5lZWQgYXQgbGVhc3Qgb25lIGVudHJ5
LCBvciBpZ25vcmUgKi8KIAkJaWYgKHggPiAwKSB7CiAJCQlhc3RfbXV0ZXhfbG9jaygmY2xpbG9j
ayk7Cg==


--=-bJWnu1Qd8T9LrEKUS3XH--

--=-n4AYuSluqT2Ru9PwCfxv
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBCwtS8QUuEI2/szeARAqJXAJ4iF92MLNKsrNs41hF6PVWHUHLw2ACfUWQp
aZdr43kD7JliBmDdjMN4S4A=
=/ltu
-----END PGP SIGNATURE-----

--=-n4AYuSluqT2Ru9PwCfxv--