In the Skinny channel driver, KEYPAD_BUTTON_MESSAGE events are queued for processing in a buffer allocated on the heap, where each DTMF value that is received is placed on the end of the buffer. Since the length of the buffer is never checked, an attacker could send sufficient KEYPAD_BUTTON_MESSAGE events such that the buffer is overrun.

Now, the length of the buffer is now checked before appending a value to the end of the buffer.

Affected Versions:

• Product Release Series
• Asterisk Open Source 1.6.2.x All Versions
• Asterisk Open Source 1.8.x All Versions
• Asterisk Open Source 10.x All Versions

Corrected In Product Release:

• Asterisk Open Source 1.6.2.24, 1.8.11.1, 10.3.1