cel_pgsql.c: Fix buffer overflow calling libpq

PQEscapeStringConn() expects the buffer passed in to be an adequitely sized buffer to write out the escaped SQL value string into. It is possible, for large values (such as large values to Dial with a lot of devices) to have more than our 512+1 byte allocation and thus cause libpq to create a buffer overrun. glibc will nicely ABRT asterisk for you, citing a stack smash. Let's only allocate it to be as large as needed: If we have a value, then (strlen(value) * 2) + 1 (as recommended by libpq), and if we have none, just one byte to hold our null will do. ASTERISK-26896 #close Change-Id: If611c734292618ed68dde17816d09dd16667dea2
2017-03-27 11:49:08 -05:00 · 2017-03-27 11:49:08 -05:00 · f66edcb8b0
parent f43cfb81d9
commit f66edcb8b0
1 changed files with 22 additions and 2 deletions
--- a/cel/cel_pgsql.c
+++ b/cel/cel_pgsql.c
@ -179,11 +179,14 @@ static void pgsql_log(struct ast_event *event)
 	if (connected) {
 		struct columns *cur;
 		struct ast_str *sql = ast_str_create(maxsize), *sql2 = ast_str_create(maxsize2);
-		char buf[257], escapebuf[513];
+		char buf[257];
+		char *escapebuf = NULL;
 		const char *value;
 		int first = 1;
+		size_t bufsize = 513;

-		if (!sql || !sql2) {
+		escapebuf = ast_malloc(bufsize);
+		if (!escapebuf || !sql || !sql2) {
 			goto ast_log_cleanup;
 		}

@ -307,6 +310,22 @@ static void pgsql_log(struct ast_event *event)
 					/* XXX Might want to handle dates, times, and other misc fields here XXX */
 				} else {
 					if (value) {
+						size_t required_size = strlen(value) * 2 + 1;
+
+						/* If our argument size exceeds our buffer, grow it,
+						 * as PQescapeStringConn() expects the buffer to be
+						 * adequitely sized and does *NOT* do size checking.
+						 */
+						if (required_size > bufsize) {
+							char *tmpbuf = ast_realloc(escapebuf, required_size);
+
+							if (!tmpbuf) {
+								goto ast_log_cleanup;
+							}
+
+							escapebuf = tmpbuf;
+							bufsize = required_size;
+						}
 						PQescapeStringConn(conn, escapebuf, value, strlen(value), NULL);
 					} else {
 						escapebuf[0] = '\0';
@ -377,6 +396,7 @@ static void pgsql_log(struct ast_event *event)
 ast_log_cleanup:
 		ast_free(sql);
 		ast_free(sql2);
+		ast_free(escapebuf);
 	}

 	ast_mutex_unlock(&pgsql_lock);