diff options
author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2010-11-15 07:42:39 +0000 |
---|---|---|
committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2010-11-15 07:42:39 +0000 |
commit | 68aaa045fa571149a00bac8fac441ed861293d8d (patch) | |
tree | 4955a701ec4fd8c1ccefdee63cd71846bcc7682b | |
parent | ca648b3d32df43b3adbc5e95dc9b5fc3f61dd9e2 (diff) |
It is possible to crash Asterisk by feeding the curl engine invalid data.
(closes issue #18161)
Reported by: wdoekes
Patches:
20101029__issue18161.diff.txt uploaded by tilghman (license 14)
Tested by: tilghman
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.2@294988 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r-- | funcs/func_curl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/funcs/func_curl.c b/funcs/func_curl.c index d10209822..9d6a0c846 100644 --- a/funcs/func_curl.c +++ b/funcs/func_curl.c @@ -477,8 +477,11 @@ static int acf_curl_exec(struct ast_channel *chan, const char *cmd, char *info, struct ast_str *fields = ast_str_create(ast_str_strlen(str) / 2); struct ast_str *values = ast_str_create(ast_str_strlen(str) / 2); int rowcount = 0; - while ((piece = strsep(&remainder, "&"))) { + while (fields && values && (piece = strsep(&remainder, "&"))) { char *name = strsep(&piece, "="); + if (!piece) { + piece = ""; + } ast_uri_decode(piece); ast_uri_decode(name); ast_str_append(&fields, 0, "%s%s", rowcount ? "," : "", name); |