On Wed, Jun 1, 2016 at 5:25 AM, snuffy <[email protected]> wrote: > Hello All, > > I noticed a bug report ASTERISK-25972, >
The referenced issue has nothing to do with what you are talking about. > > Looking through the code we do the following: > > sscanf(string,"%30d",&my_int); > > Now issue is an integer can't hold a number of 30 digits in length, 32bit > ints are safe with 9, and 64bit with 19. > > If we set a value of %9d, if there are any more digits after the first 9 > they will be lost but we know the value will be inside the range of an > integer. > > For single value scans, like reading from config files we could 'mitigate' > by checking the strlen of the value we intend to read before running scanf, > if return is >9, emit a warning stating their value will be truncated and > read only the first 9 characters into the integer. > > If we use just %d, followed by %n we can see how many characters have been > consumed, if we determine that it would be too large, emit a warning > stating that the value is most likely incorrect. > > > Am I barking up the wrong tree? thoughts? > The reason Asterisk uses sscanf format specifiers like "%30d" is because of the AST-2009-005 security issue where a bug in libc allowed an attacker to crash Asterisk by supplying a ridiculously long string of digits in a SIP message and blow the stack. As far as reading config files with excessively long integers, garbage in gives garbage out. Richard
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
