From 27803e8d3e6d482ef0807cb0ad7724fb2f3f9a90 Mon Sep 17 00:00:00 2001 From: Mark Michelson Date: Thu, 13 Mar 2008 21:31:44 +0000 Subject: [PATCH] Merged revisions 108529 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ........ r108529 | mmichelson | 2008-03-13 15:59:00 -0500 (Thu, 13 Mar 2008) | 11 lines Fixing a potential buffer overflow in the manager command ModuleCheck. Though this overflow is exploitable remotely, we are NOT issuing a security advisory for this since in order to exploit the overflow, the attacker would have to establish an authenticated manager session AND have the system privilege. By gaining this privilege, the attacker already has more powerful weapons at his disposal than overflowing a buffer with a malformed manager header, so the vulnerability in this case really lies with the authentication method that allowed the attacker to gain the system privilege in the first place. ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.0@108582 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- main/manager.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main/manager.c b/main/manager.c index f7317c7099..72e154f6c3 100644 --- a/main/manager.c +++ b/main/manager.c @@ -2565,14 +2565,14 @@ static int manager_modulecheck(struct mansession *s, const struct message *m) } else { cut = filename + strlen(filename); } - sprintf(cut, ".so"); + snprintf(cut, sizeof(filename) - cut - 1, ".so"); ast_log(LOG_DEBUG, "**** ModuleCheck .so file %s\n", filename); res = ast_module_check(filename); if (!res) { astman_send_error(s, m, "Module not loaded"); return 0; } - sprintf(cut, ".c"); + snprintf(cut, sizeof(filename) - cut - 1, ".c"); ast_log(LOG_DEBUG, "**** ModuleCheck .c file %s\n", filename); version = ast_file_version_find(filename);