asterisk -- Memory exhaustion on short SCCP packets
The Asterisk project reports:
A remote memory exhaustion can be triggered by sending
an SCCP packet to Asterisk system with "chan_skinny"
enabled that is larger than the length of the SCCP header
but smaller than the packet length specified in the header.
The loop that reads the rest of the packet doesn't detect
that the call to read() returned end-of-file before the
expected number of bytes and continues infinitely. The
"partial data" message logging in that tight loop causes
Asterisk to exhaust all available memory.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright