From 6f02a831024dec1f687cfe1b6bd2b49f2232082b Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Fri, 10 Apr 2009 11:53:12 +0000 Subject: [PATCH] [CVE-2009-0871] fix remote crash vulnerability in Asterisk SIP channel driver (closes: #4910) SVN-Revision: 15188 --- .../patches/901-cve-2009-0871.patch | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 net/asterisk-1.4.x/patches/901-cve-2009-0871.patch diff --git a/net/asterisk-1.4.x/patches/901-cve-2009-0871.patch b/net/asterisk-1.4.x/patches/901-cve-2009-0871.patch new file mode 100644 index 0000000000..bd478ac287 --- /dev/null +++ b/net/asterisk-1.4.x/patches/901-cve-2009-0871.patch @@ -0,0 +1,70 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0871 + +--- a/channels/chan_sip.c ++++ b/channels/chan_sip.c +@@ -13917,19 +13917,32 @@ static int handle_invite_replaces(struct + */ + static int sip_uri_params_cmp(const char *input1, const char *input2) + { +- char *params1 = ast_strdupa(input1); +- char *params2 = ast_strdupa(input2); ++ char *params1 = NULL; ++ char *params2 = NULL; + char *pos1; + char *pos2; ++ int zerolength1 = 0; ++ int zerolength2 = 0; + int maddrmatch = 0; + int ttlmatch = 0; + int usermatch = 0; + int methodmatch = 0; + ++ if (ast_strlen_zero(input1)) { ++ zerolength1 = 1; ++ } else { ++ params1 = ast_strdupa(input1); ++ } ++ if (ast_strlen_zero(input2)) { ++ zerolength2 = 1; ++ } else { ++ params2 = ast_strdupa(input2); ++ } ++ + /*Quick optimization. If both params are zero-length, then + * they match + */ +- if (ast_strlen_zero(params1) && ast_strlen_zero(params2)) { ++ if (zerolength1 && zerolength2) { + return 0; + } + +@@ -14044,13 +14057,25 @@ fail: + */ + static int sip_uri_headers_cmp(const char *input1, const char *input2) + { +- char *headers1 = ast_strdupa(input1); +- char *headers2 = ast_strdupa(input2); +- int zerolength1 = ast_strlen_zero(headers1); +- int zerolength2 = ast_strlen_zero(headers2); ++ char *headers1 = NULL; ++ char *headers2 = NULL; ++ int zerolength1 = 0; ++ int zerolength2 = 0; + int different = 0; + char *header1; + ++ if (ast_strlen_zero(input1)) { ++ zerolength1 = 1; ++ } else { ++ headers1 = ast_strdupa(input1); ++ } ++ ++ if (ast_strlen_zero(input2)) { ++ zerolength2 = 1; ++ } else { ++ headers2 = ast_strdupa(input2); ++ } ++ + if ((zerolength1 && !zerolength2) || + (zerolength2 && !zerolength1)) + return 1; -- 2.30.2