AST-2012-005: Fix remotely exploitable heap overflow in keypad button handling

When handling a keypad button message event, the received digit is placed into
a fixed length buffer that acts as a queue.  When a new message event is
received, the length of that buffer is not checked before placing the new digit
on the end of the queue.  The situation exists where sufficient keypad button
message events would occur that would cause the buffer to be overrun.  This
patch explicitly checks that there is sufficient room in the buffer before
appending a new digit.

(closes issue ASTERISK-19592)
Reported by: Russell Bryant
........

Merged revisions 363100 from http://svn.asterisk.org/svn/asterisk/branches/1.6.2
........

Merged revisions 363102 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 363103 from http://svn.asterisk.org/svn/asterisk/branches/10


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@363105 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_skinny.c

@@ -6643,7 +6643,8 @@ static int handle_message(struct skinny_req *req, struct skinnysession *s)
 	int res = 0;
 	struct skinny_speeddial *sd;
 	struct skinny_device *d = s->device;
-	
+	size_t len;
+
 	if ((!s->device) && (letohl(req->e) != REGISTER_MESSAGE && letohl(req->e) != ALARM_MESSAGE)) {
 		ast_log(LOG_WARNING, "Client sent message #%d without first registering.\n", req->e);
 		ast_free(req);
@@ -6712,8 +6713,13 @@ static int handle_message(struct skinny_req *req, struct skinnysession *s)
 				ast_log(LOG_WARNING, "Unsupported digit %d\n", digit);
 			}
 
-			sub->exten[strlen(sub->exten)] = dgt;
-			sub->exten[strlen(sub->exten)+1] = '\0';
+			len = strlen(sub->exten);
+			if (len < sizeof(sub->exten) - 1) {
+				sub->exten[len] = dgt;
+				sub->exten[len + 1] = '\0';
+			} else {
+				ast_log(AST_LOG_WARNING, "Dropping digit with value %d because digit queue is full\n", dgt);
+			}
 		} else
 			res = handle_keypad_button_message(req, s);
 		}