asterisk-15.x: add patch for AST-2018-010 392/head
authorSebastian Kemper <sebastian_ml@gmx.net>
Wed, 14 Nov 2018 21:03:36 +0000 (22:03 +0100)
committerSebastian Kemper <sebastian_ml@gmx.net>
Wed, 14 Nov 2018 21:03:40 +0000 (22:03 +0100)
Patch from upstream:

     Summary        Remote crash vulnerability DNS SRV and NAPTR lookups
Nature of Advisory  Denial Of Service
  Susceptibility    Remote Unauthenticated Sessions
     Severity       Moderate
  Exploits Known    No
    Reported On     October 23, 2018

Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
net/asterisk-15.x/Makefile
net/asterisk-15.x/patches/140-AST-2018-010-15.diff [new file with mode: 0644]

index ff9f544bb672daaba785f4ad36647ab7dd3a29f7..cf8cbb435fac476c2f676803668fd0054ecd0f87 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=asterisk15
 PKG_VERSION:=15.3.0
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases
diff --git a/net/asterisk-15.x/patches/140-AST-2018-010-15.diff b/net/asterisk-15.x/patches/140-AST-2018-010-15.diff
new file mode 100644 (file)
index 0000000..83f5293
--- /dev/null
@@ -0,0 +1,98 @@
+From ae857488d97f94535d7c4dbe6049ddcc211bcf32 Mon Sep 17 00:00:00 2001
+From: George Joseph <gjoseph@digium.com>
+Date: Thu, 25 Oct 2018 09:25:58 -0600
+Subject: [PATCH] AST-2018-010: Fix length of buffer needed for SRV and NAPTR results
+
+When dn_expand was being called on SRV and NAPTR results, the
+return value was being used to calculate the size of the buffer
+needed to store the host names.  Since dn_expand returns the
+length of the COMPRESSED name the buffer could be too short
+to hold the EXPANDED name.  The expanded name is NULL terminated
+so using strlen() is the correct way to determine the length
+actually needed for the buffer.
+
+ASTERISK-28127
+Reported by: Jan Hoffmann
+
+patches:
+  patch.diff submitted by janhoffmann (license 6986)
+
+Change-Id: I4d35d6c431c6c6836cb61d37b1378cc47f0b414d
+---
+
+diff --git a/main/dns_naptr.c b/main/dns_naptr.c
+index 5490b55..4d67816 100644
+--- a/main/dns_naptr.c
++++ b/main/dns_naptr.c
+@@ -393,6 +393,7 @@
+       int replacement_size;
+       const char *end_of_record;
+       enum flags_result flags_res;
++      size_t naptr_len;
+       ptr = dns_find_record(data, size, query->result->answer, query->result->answer_size);
+       ast_assert(ptr != NULL);
+@@ -435,7 +436,14 @@
+               return NULL;
+       }
+-      replacement_size = dn_expand((unsigned char *)query->result->answer, (unsigned char *) end_of_record, (unsigned char *) ptr, replacement, sizeof(replacement) - 1);
++      /*
++       * The return value from dn_expand represents the size of the replacement
++       * in the buffer which MAY be compressed.  Since the expanded replacement
++       * is NULL terminated, you can use strlen() to get the expanded size.
++       */
++      replacement_size = dn_expand((unsigned char *)query->result->answer,
++              (unsigned char *) end_of_record, (unsigned char *) ptr,
++              replacement, sizeof(replacement) - 1);
+       if (replacement_size < 0) {
+               ast_log(LOG_ERROR, "Failed to expand domain name: %s\n", strerror(errno));
+               return NULL;
+@@ -475,7 +483,9 @@
+               return NULL;
+       }
+-      naptr = ast_calloc(1, sizeof(*naptr) + size + flags_size + 1 + services_size + 1 + regexp_size + 1 + replacement_size + 1);
++      naptr_len = sizeof(*naptr) + size + flags_size + 1 + services_size + 1
++              + regexp_size + 1 + strlen(replacement) + 1;
++      naptr = ast_calloc(1, naptr_len);
+       if (!naptr) {
+               return NULL;
+       }
+diff --git a/main/dns_srv.c b/main/dns_srv.c
+index b562e32..e11c84e 100644
+--- a/main/dns_srv.c
++++ b/main/dns_srv.c
+@@ -73,7 +73,13 @@
+               return NULL;
+       }
+-      host_size = dn_expand((unsigned char *)query->result->answer, (unsigned char *) end_of_record, (unsigned char *) ptr, host, sizeof(host) - 1);
++      /*
++       * The return value from dn_expand represents the size of the replacement
++       * in the buffer which MAY be compressed.  Since the expanded replacement
++       * is NULL terminated, you can use strlen() to get the expanded size.
++       */
++      host_size = dn_expand((unsigned char *)query->result->answer,
++              (unsigned char *) end_of_record, (unsigned char *) ptr, host, sizeof(host) - 1);
+       if (host_size < 0) {
+               ast_log(LOG_ERROR, "Failed to expand domain name: %s\n", strerror(errno));
+               return NULL;
+@@ -83,7 +89,7 @@
+               return NULL;
+       }
+-      srv = ast_calloc(1, sizeof(*srv) + size + host_size + 1);
++      srv = ast_calloc(1, sizeof(*srv) + size + strlen(host) + 1);
+       if (!srv) {
+               return NULL;
+       }
+@@ -94,8 +100,6 @@
+       srv->host = srv->data + size;
+       strcpy((char *)srv->host, host); /* SAFE */
+-      ((char *)srv->host)[host_size] = '\0';
+-
+       srv->generic.data_ptr = srv->data;
+       return (struct ast_dns_record *)srv;