Re: Stack-buffer overflow in pjsip_multipart_parse and pj_scan_get_quotes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Stephan,

Yes, I initially missed that too.

A little bit about the history of our parser:
"The very first component of PJSIP is the parser, which was created to participate in internal parser contest in Switchlab, Ltd. ...
(from http://www.pjsip.org/about.htm)

So it was created with efficiency and speed in mind (note that it was created many years ago, where speed was paramount and we pride ourselves in achieving that), and in exchange of those speed boost, the spec of the input was intentionally made more restrictive. Of course, nowadays, with those multicore CPUs and GHz of processing power, speed has less relevance, nevertheless we will let the code remain as is, for now.

Regards,
Ming


On Mon, Nov 13, 2017 at 4:49 PM, Stephan Zeisberg <stephan@xxxxxxxxx> wrote:
Hi Ming

Ah, sorry. "The length of the string (not counting NULL terminator)." My fault.

Best

    -Stephan


On 11/13/2017 09:29 AM, Ming wrote:
> Hi Stephan,
>
> In all three of the sample programs you provided, according to pjsip_parse_msg() spec:
>  * @param bufThe input buffer, which MUST be NULL terminated.
>  * @param sizeThe length of the string (not counting NULL terminator).
>
> these are actually needed:
>     char packet [] = ".....\x00";
>     pjsip_parse_msg(pool, packet, sizeof(packet)-1, &err_list);
>
> Best regards,
> Ming
>
> On Fri, Nov 10, 2017 at 6:04 PM, Ming <ming@xxxxxxxxx <mailto:ming@xxxxxxxxx>> wrote:
>
>     Hi Stephan,
>
>     Ah, silly me. Forgot to include the flags when compiling PJSIP.
>
>     Thanks for letting me know. I've found the problems and fixed them, all three programs you sent coughed up no errors now. Currently still checking for the same patterns in other places as well. Will update you when it's done, probably early next week.
>
>     Thanks a lot and have a good weekend.
>
>     Regards,
>     Ming
>
>     On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg <stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx>> wrote:
>
>         Hi Ming —
>
>         Please try the following to reproduce the issues:
>
>         $ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
>
>         $ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>
>         $ ./out
>
>         I've attached the AddressSanitizer output for the three issues.
>
>         Best
>
>             -Stephan
>
>         On 11/10/2017 02:05 AM, Ming wrote:
>         > Hi Stephan,
>         >
>         > Thanks for the report.
>         >
>         > I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer <https://github.com/google/sanitizers/wiki/AddressSanitizer>) and it didn't report any warning or error at all.
>         >
>         > Command I used (on Mac):
>         > clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
>         >
>         > && ./out
>         >
>         > The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
>         >
>         > Regards,
>         > Ming
>         >
>         > On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx> <mailto:stephan@xxxxxxxxx <mailto:stephan@xxxxxxxxx>>> wrote:
>         >
>         >     Dear all —
>         >
>         >     Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
>         >
>         >     # Version
>         >
>         >     trunk
>         >
>         >     # How to reproduce pjsip_multipart_parse overflow:
>         >
>         >     $ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>         >
>         >     $ valgrind ./out
>         >
>         >     The resulting valgrind output is attached.
>         >
>         >     # How to reproduce pj_scan_get_quotes overflow:
>         >
>         >     $ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
>         >
>         >     $ valgrind ./out
>         >
>         >     The resulting valgrind output is attached.
>         >
>         >     The issues have been found with afl-fuzz in ASAN mode.
>         >
>         >     Cheers
>         >
>         >         -Stephan Zeisberg
>         >
>         >
>         >     _______________________________________________
>         >     Visit our blog: http://blog.pjsip.org
>         >
>         >     pjsip mailing list
>         >     pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx> <mailto:pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>>
>         >     http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org> <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>>
>         >
>         >
>         >
>         >
>         > _______________________________________________
>         > Visit our blog: http://blog.pjsip.org
>         >
>         > pjsip mailing list
>         > pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>
>         > http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
>
>
>         _______________________________________________
>         Visit our blog: http://blog.pjsip.org
>
>         pjsip mailing list
>         pjsip@xxxxxxxxxxxxxxx <mailto:pjsip@xxxxxxxxxxxxxxx>
>         http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
>
>
>
>
>
> _______________________________________________
> Visit our blog: http://blog.pjsip.org
>
> pjsip mailing list
> pjsip@xxxxxxxxxxxxxxx
> http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org


_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org

_______________________________________________
Visit our blog: http://blog.pjsip.org

pjsip mailing list
pjsip@xxxxxxxxxxxxxxx
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux