kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-27 06:31:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3cfc54eceff48d12bbd817bd9674b4bc12bb9da8
asterisk/apps/app_milliwatt.c
Jason Parker e854851dc3 Multiple revisions 359656,359706,359979 
........
  r359656 | mjordan | 2012-03-15 13:35:59 -0500 (Thu, 15 Mar 2012) | 22 lines
  
  Fix remotely exploitable stack overrun in Milliwatt
  
  Milliwatt is vulnerable to a remotely exploitable stack overrun when using
  the 'o' option.  This occurs due to the milliwatt_generate function not
  accounting for AST_FRIENDLY_OFFSET when calculating the maximum number of
  samples it can put in the output buffer.
  
  This patch resolves this issue by taking into account AST_FRIENDLY_OFFSET
  when determining the maximum number of samples allowed.  Note that at no
  point is remote code execution possible.  The data that is written into the
  buffer is the pre-defined Milliwatt data, and not custom data.
  
  (closes issue ASTERISK-19541)
  Reported by: Russell Bryant
  Tested by: Matt Jordan
  Patches:
    milliwatt_stack_overrun.rev1.txt by Russell Bryant (license 6283)
    Note that this patch was written by Russell, even though Matt uploaded it
  ........
  
  Merged revisions 359645 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........
  r359706 | mjordan | 2012-03-15 14:01:22 -0500 (Thu, 15 Mar 2012) | 16 lines
  
  Fix remotely exploitable stack overflow in HTTP manager
  
  There exists a remotely exploitable stack buffer overflow in HTTP digest
  authentication handling in Asterisk.  The particular method in question
  is only utilized by HTTP AMI.  When parsing the digest information, the
  length of the string is not checked when it is copied into temporary buffers
  allocated on the stack.
  
  This patch fixes this behavior by parsing out pre-defined key/value pairs
  and avoiding unnecessary copies to the stack.
  
  (closes issue ASTERISK-19542)
  Reported by: Russell Bryant
  Tested by: Matt Jordan
........
  r359979 | rmudgett | 2012-03-20 12:21:16 -0500 (Tue, 20 Mar 2012) | 28 lines
  
  Allow AMI action callback to be reentrant.
  
  Fix AMI module reload deadlock regression from ASTERISK-18479 when it
  tried to fix the race between calling an AMI action callback and
  unregistering that action.  Refixes ASTERISK-13784 broken by
  ASTERISK-17785 change.
  
  Locking the ao2 object guaranteed that there were no active callbacks that
  mattered when ast_manager_unregister() was called.  Unfortunately, this
  causes the deadlock situation.  The patch stops locking the ao2 object to
  allow multiple threads to invoke the callback re-entrantly.  There is no
  way to guarantee a module unload will not crash because of an active
  callback.  The code attempts to minimize the chance with the registered
  flag and the maximum 5 second delay before ast_manager_unregister()
  returns.
  
  The trunk version of the patch changes the API to fix the race condition
  correctly to prevent the module code from unloading from memory while an
  action callback is active.
  
  * Don't hold the lock while calling the AMI action callback.
  
  (closes issue ASTERISK-19487)
  Reported by: Philippe Lindheimer
  
  Review: https://reviewboard.asterisk.org/r/1818/
  Review: https://reviewboard.asterisk.org/r/1820/
........

Merged revisions 359656,359706,359979 from http://svn.asterisk.org/svn/asterisk/branches/1.8


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8-digiumphones@360826 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2012-03-29 21:49:14 +00:00

176 lines
4.3 KiB
C
Raw Blame History

/*
* Asterisk -- An open source telephony toolkit.
*
* Copyright (C) 1999 - 2005, Digium, Inc.
*
* Mark Spencer <markster@digium.com>
*
* See http://www.asterisk.org for more information about
* the Asterisk project. Please do not directly contact
* any of the maintainers of this project for assistance;
* the project provides a web site, mailing lists and IRC
* channels for your use.
*
* This program is free software, distributed under the terms of
* the GNU General Public License Version 2. See the LICENSE file
* at the top of the source tree.
*/
/*! \file
*
* \brief Digital Milliwatt Test
*
* \author Mark Spencer <markster@digium.com>
*
* \ingroup applications
*/
/*** MODULEINFO
<support_level>core</support_level>
***/
#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
#include "asterisk/module.h"
#include "asterisk/channel.h"
#include "asterisk/pbx.h"
#include "asterisk/indications.h"
/*** DOCUMENTATION
<application name="Milliwatt" language="en_US">
<synopsis>
Generate a Constant 1004Hz tone at 0dbm (mu-law).
</synopsis>
<syntax>
<parameter name="options">
<optionlist>
<option name="o">
<para>Generate the tone at 1000Hz like previous version.</para>
</option>
</optionlist>
</parameter>
</syntax>
<description>
<para>Previous versions of this application generated the tone at 1000Hz. If for
some reason you would prefer that behavior, supply the <literal>o</literal> option to get the
old behavior.</para>
</description>
</application>
***/
static const char app[] = "Milliwatt";
static const char digital_milliwatt[] = {0x1e,0x0b,0x0b,0x1e,0x9e,0x8b,0x8b,0x9e} ;
static void *milliwatt_alloc(struct ast_channel *chan, void *params)
{
return ast_calloc(1, sizeof(int));
}
static void milliwatt_release(struct ast_channel *chan, void *data)
{
ast_free(data);
return;
}
static int milliwatt_generate(struct ast_channel *chan, void *data, int len, int samples)
{
unsigned char buf[AST_FRIENDLY_OFFSET + 640];
const int maxsamples = ARRAY_LEN(buf) - (AST_FRIENDLY_OFFSET / sizeof(buf[0]));
int i, *indexp = (int *) data;
struct ast_frame wf = {
.frametype = AST_FRAME_VOICE,
.subclass.codec = AST_FORMAT_ULAW,
.offset = AST_FRIENDLY_OFFSET,
.src = __FUNCTION__,
};
wf.data.ptr = buf + AST_FRIENDLY_OFFSET;
/* Instead of len, use samples, because channel.c generator_force
* generate(chan, tmp, 0, 160) ignores len. In any case, len is
* a multiple of samples, given by number of samples times bytes per
* sample. In the case of ulaw, len = samples. for signed linear
* len = 2 * samples */
if (samples > maxsamples) {
ast_log(LOG_WARNING, "Only doing %d samples (%d requested)\n", maxsamples, samples);
samples = maxsamples;
}
len = samples * sizeof (buf[0]);
wf.datalen = len;
wf.samples = samples;
/* create a buffer containing the digital milliwatt pattern */
for (i = 0; i < len; i++) {
buf[AST_FRIENDLY_OFFSET + i] = digital_milliwatt[(*indexp)++];
*indexp &= 7;
}
if (ast_write(chan,&wf) < 0) {
ast_log(LOG_WARNING,"Failed to write frame to '%s': %s\n",chan->name,strerror(errno));
return -1;
}
return 0;
}
static struct ast_generator milliwattgen = {
alloc: milliwatt_alloc,
release: milliwatt_release,
generate: milliwatt_generate,
};
static int old_milliwatt_exec(struct ast_channel *chan)
{
ast_set_write_format(chan, AST_FORMAT_ULAW);
ast_set_read_format(chan, AST_FORMAT_ULAW);
if (chan->_state != AST_STATE_UP) {
ast_answer(chan);
}
if (ast_activate_generator(chan,&milliwattgen,"milliwatt") < 0) {
ast_log(LOG_WARNING,"Failed to activate generator on '%s'\n",chan->name);
return -1;
}
while (!ast_safe_sleep(chan, 10000))
;
ast_deactivate_generator(chan);
return -1;
}
static int milliwatt_exec(struct ast_channel *chan, const char *data)
{
const char *options = data;
int res = -1;
if (!ast_strlen_zero(options) && strchr(options, 'o')) {
return old_milliwatt_exec(chan);
}
res = ast_playtones_start(chan, 23255, "1004/1000", 0);
while (!res) {
res = ast_safe_sleep(chan, 10000);
}
return res;
}
static int unload_module(void)
{
return ast_unregister_application(app);
}
static int load_module(void)
{
return ast_register_application_xml(app, milliwatt_exec);
}
AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "Digital Milliwatt (mu-law) Test Application");
Reference in New Issue View Git Blame Copy Permalink