alpine 3.6
buffer weakness #236

5

Weakness Breakdown


Definition:

Buffer overflows are one of the most well-known software vulnerabilities. Even though most developers know what buffer overflows are, attacks against the vulnerabilities are common in both legacy and newer applications. A classic buffer overflow exploit begins with the attacker sending data to a program, which it then stores in an undersized stack buffer. Besides stack buffer overflows, other kinds of buffer overflows include heap overflows, off-by-one errors and many others. Learn more about buffer overflows on OWASP attack index.

Warning code(s):

Easily used incorrectly.

File Name:

asterisk/src/asterisk-14.7.8/apps/app_voicemail.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 buffer weakness.

 			retries = 0;
		switch (cmd) {
		case '1': 

#ifdef IMAP_STORAGE
			/* Record new intro file */
			if (msg_cfg && msg_cfg != CONFIG_STATUS_FILEINVALID) {
				msg_id = ast_variable_retrieve(msg_cfg, "message", "msg_id");
			}
			make_file(vms->introfn, sizeof(vms->introfn), curdir, curmsg);
			strncat(vms->introfn, "intro", sizeof(vms->introfn));
			ast_play_and_wait(chan, "vm-record-prepend");
			ast_play_and_wait(chan, "beep");
			cmd = play_record_review(chan, NULL, vms->introfn, vmu->maxsecs, vm_fmts, 1, vmu, (int *) duration, NULL, NULL, record_gain, vms, flag, msg_id, 1);
			if (cmd == -1) {
				break;
			}
			cmd = 't';
#else

			/* prepend a message to the current message, update the metadata and return */

			make_file(msgfile, sizeof(msgfile), curdir, curmsg);
			strcpy(textfile, msgfile);
			strncat(textfile, ".txt", sizeof(textfile) - 1);
			*duration = 0;

			/* if we can't read the message metadata, stop now */
			if (!valid_config(msg_cfg)) {
				cmd = 0;
				break;
			}

			/* Back up the original file, so we can retry the prepend and restore it after forward. */
#ifndef IMAP_STORAGE
			if (already_recorded) {
				ast_filecopy(backup, msgfile, NULL);
				copy(backup_textfile, textfile);
			}
			else {
				ast_filecopy(msgfile, backup, NULL);
				copy(textfile, backup_textfile);
			}
#endif
			already_recorded = 1;

			if (record_gain)
				ast_channel_setoption(chan, AST_OPTION_RXGAIN, &record_gain, sizeof(record_gain), 0);

			cmd = ast_play_and_prepend(chan, NULL, msgfile, 0, vm_fmts, &prepend_duration, NULL, 1, silencethreshold, maxsilence); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.