Re: Stack-buffer overflow in pjsip_multipart_parse and pj_scan_get_quotes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Stephan,

Thanks for the report.

I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't report any warning or error at all.

Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm

&& ./out

The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.

Regards,
Ming

On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@xxxxxxxxx> wrote:
Dear all —

Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.

# Version

trunk

# How to reproduce pjsip_multipart_parse overflow:

$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid

$ valgrind ./out

The resulting valgrind output is attached.

# How to reproduce pj_scan_get_quotes overflow:

$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid

$ valgrind ./out

The resulting valgrind output is attached.

The issues have been found with afl-fuzz in ASAN mode.

Cheers

    -Stephan Zeisberg


_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org


_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux