sysmocom
/
asterisk
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

various modules: json integer overflow 

There were still a few places in the code that could overflow when "packing"
a json object with a value outside the base type integer's range. For instance:

unsigned int value = INT_MAX + 1
ast_json_pack("{s: i}", value);

would result in a negative number being "packed". In those situations this patch
alters those values to a ast_json_int_t, which widens the value up to a long or
long long.

ASTERISK-28480

Change-Id: Ied530780d83e6f1772adba0e28d8938ef30c49a1
This commit is contained in:
Kevin Harwell 2019-08-01 16:22:01 -05:00
parent 8de36bfa41
commit 6bb14150c4
10 changed files with 38 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apps/app_agent_pool.c
View File

@ -1457,9 +1457,9 @@ static void send_agent_logoff(struct ast_channel *chan, const char *agent, long
ast_assert(agent != NULL);
blob = ast_json_pack("{s: s, s: i}",
blob = ast_json_pack("{s: s, s: I}",
"agent", agent,
"logintime", logintime);
"logintime", (ast_json_int_t)logintime);
if (!blob) {
return;
}

12
apps/app_queue.c
View File

@ -5898,12 +5898,12 @@ static void send_agent_complete(const char *queuename, struct ast_channel_snapsh
break;
}
blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i, s: s}",
blob = ast_json_pack("{s: s, s: s, s: s, s: I, s: I, s: s}",
"Queue", queuename,
"Interface", member->interface,
"MemberName", member->membername,
"HoldTime", (long)(callstart - holdstart),
"TalkTime", (long)(time(NULL) - callstart),
"HoldTime", (ast_json_int_t)(callstart - holdstart),
"TalkTime", (ast_json_int_t)(time(NULL) - callstart),
"Reason", reason ?: "");
queue_publish_multi_channel_snapshot_blob(ast_queue_topic(queuename), caller, peer,
@ -7174,12 +7174,12 @@ static int try_calling(struct queue_ent *qe, struct ast_flags opts, char **opt_a
ast_queue_log(queuename, ast_channel_uniqueid(qe->chan), member->membername, "CONNECT", "%ld|%s|%ld", (long) (time(NULL) - qe->start), ast_channel_uniqueid(peer),
(long)(orig - to > 0 ? (orig - to) / 1000 : 0));
blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i}",
blob = ast_json_pack("{s: s, s: s, s: s, s: I, s: I}",
"Queue", queuename,
"Interface", member->interface,
"MemberName", member->membername,
"HoldTime", (long) (time(NULL) - qe->start),
"RingTime", (long)(orig - to > 0 ? (orig - to) / 1000 : 0));
"HoldTime", (ast_json_int_t)(time(NULL) - qe->start),
"RingTime", (ast_json_int_t)(orig - to > 0 ? (orig - to) / 1000 : 0));
queue_publish_multi_channel_blob(qe->chan, peer, queue_agent_connect_type(), blob);
ast_copy_string(oldcontext, ast_channel_context(qe->chan), sizeof(oldcontext));

8
channels/chan_iax2.c
View File

@ -11111,18 +11111,18 @@ static int socket_process_helper(struct iax2_thread *thread)
if (iaxs[fr->callno]->pingtime <= peer->maxms) {
ast_log(LOG_NOTICE, "Peer '%s' is now REACHABLE! Time: %u\n", peer->name, iaxs[fr->callno]->pingtime);
ast_endpoint_set_state(peer->endpoint, AST_ENDPOINT_ONLINE);
blob = ast_json_pack("{s: s, s: i}",
blob = ast_json_pack("{s: s, s: I}",
"peer_status", "Reachable",
"time", iaxs[fr->callno]->pingtime);
"time", (ast_json_int_t)iaxs[fr->callno]->pingtime);
ast_devstate_changed(AST_DEVICE_NOT_INUSE, AST_DEVSTATE_CACHABLE, "IAX2/%s", peer->name); /* Activate notification */
}
} else if ((peer->historicms > 0) && (peer->historicms <= peer->maxms)) {
if (iaxs[fr->callno]->pingtime > peer->maxms) {
ast_log(LOG_NOTICE, "Peer '%s' is now TOO LAGGED (%u ms)!\n", peer->name, iaxs[fr->callno]->pingtime);
ast_endpoint_set_state(peer->endpoint, AST_ENDPOINT_ONLINE);
blob = ast_json_pack("{s: s, s: i}",
blob = ast_json_pack("{s: s, s: I}",
"peer_status", "Lagged",
"time", iaxs[fr->callno]->pingtime);
"time", (ast_json_int_t)iaxs[fr->callno]->pingtime);
ast_devstate_changed(AST_DEVICE_UNAVAILABLE, AST_DEVSTATE_CACHABLE, "IAX2/%s", peer->name); /* Activate notification */
}
}

2
funcs/func_talkdetect.c
View File

@ -203,7 +203,7 @@ static int talk_detect_audiohook_cb(struct ast_audiohook *audiohook, struct ast_
int64_t diff_ms = ast_tvdiff_ms(ast_tvnow(), td_params->talking_start);
diff_ms -= td_params->dsp_silence_threshold;
blob = ast_json_pack("{s: i}", "duration", diff_ms);
blob = ast_json_pack("{s: I}", "duration", (ast_json_int_t)diff_ms);
if (!blob) {
return 1;
}

8
main/aoc.c
View File

@ -1738,13 +1738,13 @@ static struct ast_json *s_to_json(const struct ast_aoc_decoded *decoded)
decoded->aoc_s_entries[i].rate.duration.amount,
decoded->aoc_s_entries[i].rate.duration.multiplier);
time = ast_json_pack("{s:i, s:i}",
"Length", decoded->aoc_s_entries[i].rate.duration.time,
time = ast_json_pack("{s:I, s:i}",
"Length", (ast_json_int_t)decoded->aoc_s_entries[i].rate.duration.time,
"Scale", decoded->aoc_s_entries[i].rate.duration.time_scale);
if (decoded->aoc_s_entries[i].rate.duration.granularity_time) {
granularity = ast_json_pack("{s:i, s:i}",
"Length", decoded->aoc_s_entries[i].rate.duration.granularity_time,
granularity = ast_json_pack("{s:I, s:i}",
"Length", (ast_json_int_t)decoded->aoc_s_entries[i].rate.duration.granularity_time,
"Scale", decoded->aoc_s_entries[i].rate.duration.granularity_time_scale);
}

4
main/ccss.c
View File

@ -1076,9 +1076,9 @@ static void cc_publish_offertimerstart(int core_id, const char *caller, unsigned
{
struct ast_json *extras;
extras = ast_json_pack("{s: s, s: i}",
extras = ast_json_pack("{s: s, s: I}",
"caller", caller,
"expires", expires);
"expires", (ast_json_int_t)expires);
cc_publish(ast_cc_offertimerstart_type(), core_id, extras);
ast_json_unref(extras);

4
main/channel.c
View File

@ -3363,10 +3363,10 @@ static void send_dtmf_end_event(struct ast_channel *chan,
RAII_VAR(struct ast_json *, blob, NULL, ast_json_unref);
char digit_str[] = { digit, '\0' };
blob = ast_json_pack("{ s: s, s: s, s: i }",
blob = ast_json_pack("{ s: s, s: s, s: I }",
"digit", digit_str,
"direction", dtmf_direction_to_string(direction),
"duration_ms", duration_ms);
"duration_ms", (ast_json_int_t)duration_ms);
if (!blob) {
return;
}

6
main/core_local.c
View File

@ -394,8 +394,8 @@ static void local_optimization_started_cb(struct ast_unreal_pvt *base, struct as
return;
}
json_object = ast_json_pack("{s: i, s: i}",
"dest", dest, "id", id);
json_object = ast_json_pack("{s: i, s: I}",
"dest", dest, "id", (ast_json_int_t)id);
if (!json_object) {
return;
@ -436,7 +436,7 @@ static void local_optimization_finished_cb(struct ast_unreal_pvt *base, int succ
return;
}
json_object = ast_json_pack("{s: i, s: i}", "success", success, "id", id);
json_object = ast_json_pack("{s: i, s: I}", "success", success, "id", (ast_json_int_t)id);
if (!json_object) {
return;

24
main/rtp_engine.c
View File

@ -3394,14 +3394,14 @@ static struct ast_json *rtcp_report_to_json(struct stasis_message *msg,
char str_lsr[32];
snprintf(str_lsr, sizeof(str_lsr), "%u", payload->report->report_block[i]->lsr);
json_report_block = ast_json_pack("{s: I, s: i, s: i, s: i, s: i, s: s, s: i}",
json_report_block = ast_json_pack("{s: I, s: I, s: I, s: I, s: I, s: s, s: I}",
"source_ssrc", (ast_json_int_t)payload->report->report_block[i]->source_ssrc,
"fraction_lost", payload->report->report_block[i]->lost_count.fraction,
"packets_lost", payload->report->report_block[i]->lost_count.packets,
"highest_seq_no", payload->report->report_block[i]->highest_seq_no,
"ia_jitter", payload->report->report_block[i]->ia_jitter,
"fraction_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.fraction,
"packets_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.packets,
"highest_seq_no", (ast_json_int_t)payload->report->report_block[i]->highest_seq_no,
"ia_jitter", (ast_json_int_t)payload->report->report_block[i]->ia_jitter,
"lsr", str_lsr,
"dlsr", payload->report->report_block[i]->dlsr);
"dlsr", (ast_json_int_t)payload->report->report_block[i]->dlsr);
if (!json_report_block
|| ast_json_array_append(json_rtcp_report_blocks, json_report_block)) {
ast_json_unref(json_rtcp_report_blocks);
@ -3415,21 +3415,21 @@ static struct ast_json *rtcp_report_to_json(struct stasis_message *msg,
snprintf(sec, sizeof(sec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_sec);
snprintf(usec, sizeof(usec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_usec);
json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: i, s: i, s: i}",
json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: I, s: I, s: I}",
"ntp_timestamp_sec", sec,
"ntp_timestamp_usec", usec,
"rtp_timestamp", payload->report->sender_information.rtp_timestamp,
"packets", payload->report->sender_information.packet_count,
"octets", payload->report->sender_information.octet_count);
"rtp_timestamp", (ast_json_int_t)payload->report->sender_information.rtp_timestamp,
"packets", (ast_json_int_t)payload->report->sender_information.packet_count,
"octets", (ast_json_int_t)payload->report->sender_information.octet_count);
if (!json_rtcp_sender_info) {
ast_json_unref(json_rtcp_report_blocks);
return NULL;
}
}
json_rtcp_report = ast_json_pack("{s: I, s: i, s: i, s: o, s: o}",
json_rtcp_report = ast_json_pack("{s: I, s: I, s: i, s: o, s: o}",
"ssrc", (ast_json_int_t)payload->report->ssrc,
"type", payload->report->type,
"type", (ast_json_int_t)payload->report->type,
"report_count", payload->report->reception_report_count,
"sender_information", json_rtcp_sender_info ?: ast_json_null(),
"report_blocks", json_rtcp_report_blocks);

4
main/stasis_channels.c
View File

@ -1117,11 +1117,11 @@ static struct ast_json *dtmf_end_to_json(
return NULL;
}
return ast_json_pack("{s: s, s: o, s: s, s: i, s: o}",
return ast_json_pack("{s: s, s: o, s: s, s: I, s: o}",
"type", "ChannelDtmfReceived",
"timestamp", ast_json_timeval(*tv, NULL),
"digit", digit,
"duration_ms", duration_ms,
"duration_ms", (ast_json_int_t)duration_ms,
"channel", json_channel);
}