Bug#336828: asterisk: computer hangs if config file includes a directory

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Nov 1 21:04:19 UTC 2005 

On Tue, Nov 01, 2005 at 09:38:39AM -0500, Jamie McClelland wrote:
> Package: asterisk
> Version: 1.0.7-BRIstuffed-0.2.0-RC7k
> Severity: normal
> 
> 
> If you create a directory in /etc/asterisk, such as:
> 
> mkdir /etc/asterisk/extensions
> 
> And then add a directive to include the directory in another file, such as:
> 
> echo "#include extensions" >> /etc/asterisk/extensions.conf
> 
> Then reload asterisk, asterisk will either:
> 
> * Hang the entire computer (if run with the -p option which is the default)
> or
> * Hang asterisk - taking up 99% of CPU utilization.
> 
> See the following bug reports upstream:
> 
> http://bugs.digium.com/view.php?id=5510
> http://bugs.digium.com/view.php?id=4637

Note that this requires the ability to modify the dialplan. If you can
do that, you can normally do other, more malicious, things than this
simple DoS attack. So it's not a security hole.

But it is a nasty bug. It can easily get your computer to hang 
automatically on boot.


I attach the fix from bug #4637. It is already part of my packages,
naturally. As mentioned in bug #5510, this bug has already been fixed in
1.2 . Hmmm, I was sure I also applied it to the official asterisk
debs...

-- 
Tzafrir Cohen     icq#16849755  +972-50-7952406
tzafrir.cohen at xorcom.com  http://www.xorcom.com
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## include_dir_hang_fix.dpatch by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Don't hang in a loop in case we #include-d a directory

@DPATCH@
diff -urNad asterisk-1.0.9.dfsg.1/config.c /tmp/dpep.oKwZhH/asterisk-1.0.9.dfsg.1/config.c
--- asterisk-1.0.9.dfsg.1/config.c	2005-07-04 21:58:39.000000000 +0300
+++ /tmp/dpep.oKwZhH/asterisk-1.0.9.dfsg.1/config.c	2005-07-04 22:02:01.000000000 +0300
@@ -799,8 +799,10 @@
 			fclose(f);
 			return NULL;
 		}
-		while(!feof(f)) {
+		while(!feof(f) && ((ferror(f)) != 0) ) {
+			/* in the above, when read(2) sets errno to EISDIR, ferror returns 1 */
 			lineno++;
+			clearer(f); /* to notice fgets errors. really necessary? */
 			if (fgets(buf, sizeof(buf), f)) {
 				if (cfg_process(tmp, _tmpc, _last, buf, lineno, configfile, includelevel
 #ifdef PRESERVE_COMMENTS

More information about the Pkg-voip-maintainers mailing list