Re: Stack-buffer overflow in pjsip_multipart_parse and pj_scan_get_quotes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ming —

The standard (6.4.5 String Literals) says:

"A byte or code of value zero is appended to each multibyte character sequence that results from a string literal or literals."

So for example, the string literal char bar[] = "foo" contains the implicit null-terminator.

sizeof(bar) = 4

Thus, the three sample programs should actually be correct.

Best regards

    -Stephan


On 11/13/2017 09:29 AM, Ming wrote:
> Hi Stephan,
>
> In all three of the sample programs you provided, according to pjsip_parse_msg() spec:
>  * @param bufThe input buffer, which MUST be NULL terminated.
>  * @param sizeThe length of the string (not counting NULL terminator).
>
> these are actually needed:
>     char packet [] = ".....\x00";
>     pjsip_parse_msg(pool, packet, sizeof(packet)-1, &err_list);
>
> Best regards,
> Ming
>
> On Fri, Nov 10, 2017 at 6:04 PM, Ming <ming@xxxxxxxxx <mailto:ming@xxxxxxxxx>> wrote:
>
>     Hi Stephan,
>
>     Ah, silly me. Forgot to include the flags when compiling PJSIP.
>
>     Thanks for letting me know. I've found the problems and fixed them, all three programs you sent coughed up no errors now. Currently still checking for the same patterns in other places as well. Will update you when it's done, probably early next week.
>
>     Thanks a lot and have a good weekend.
>
>     Regards,
>     Ming
>
>     On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg <stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx>> wrote:
>
>         Hi Ming —
>
>         Please try the following to reproduce the issues:
>
>         $ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
>
>         $ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>
>         $ ./out
>
>         I've attached the AddressSanitizer output for the three issues.
>
>         Best
>
>             -Stephan
>
>         On 11/10/2017 02:05 AM, Ming wrote:
>         > Hi Stephan,
>         >
>         > Thanks for the report.
>         >
>         > I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer <https://github.com/google/sanitizers/wiki/AddressSanitizer>) and it didn't report any warning or error at all.
>         >
>         > Command I used (on Mac):
>         > clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
>         >
>         > && ./out
>         >
>         > The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
>         >
>         > Regards,
>         > Ming
>         >
>         > On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx> <mailto:stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx>>> wrote:
>         >
>         >     Dear all —
>         >
>         >     Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
>         >
>         >     # Version
>         >
>         >     trunk
>         >
>         >     # How to reproduce pjsip_multipart_parse overflow:
>         >
>         >     $ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>         >
>         >     $ valgrind ./out
>         >
>         >     The resulting valgrind output is attached.
>         >
>         >     # How to reproduce pj_scan_get_quotes overflow:
>         >
>         >     $ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>         >
>         >     $ valgrind ./out
>         >
>         >     The resulting valgrind output is attached.
>         >
>         >     The issues have been found with afl-fuzz in ASAN mode.
>         >
>         >     Cheers
>         >
>         >         -Stephan Zeisberg
>         >
>         >
>         >     _______________________________________________
>         >     Visit our blog: http://blog.pjsip.org
>         >
>         >     pjsip mailing list
>         >     pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx> <mailto:pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>>
>         >     http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org> <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>>
>         >
>         >
>         >
>         >
>         > _______________________________________________
>         > Visit our blog: http://blog.pjsip.org
>         >
>         > pjsip mailing list
>         > pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>
>         > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
>
>
>         _______________________________________________
>         Visit our blog: http://blog.pjsip.org
>
>         pjsip mailing list
>         pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>
>         http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
>
>
>
>
>
> _______________________________________________
> Visit our blog: http://blog.pjsip.org
>
> pjsip mailing list
> pjsip@xxxxxxxxxxxxxxx
> http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org


_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org




[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux