[asterisk-bugs] [JIRA] (ASTERISK-24566) Uninit buf in WS write
Richard Mudgett (JIRA)
noreply at issues.asterisk.org
Fri Dec 19 14:24:29 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=224105#comment-224105 ]
Richard Mudgett commented on ASTERISK-24566:
--------------------------------------------
While your finding of the incorrect use of {{sizeof}} in {{ast_websocket_write()}} is correct, it will have no effect since the efforts of {{memset()}} are overwritten by the following code which sets all of the allocated bytes to the needed values.
{code}
frame[0] = opcode | 0x80;
frame[1] = length;
/* Use the additional available bytes to store the length */
if (length == 126) {
put_unaligned_uint16(&frame[2], htons(actual_length));
} else if (length == 127) {
put_unaligned_uint64(&frame[2], htonl(actual_length));
}
{code}
Even if the above code did not set all of the bytes and the {{memset()}} was fixed, valgrind would have the same finding because valgrind was also triggering on {{ast_websocket_close()}}.
Something that should be checked is which implementation of {{put_unaligned_uint16()}} and {{htons()}} are used by your system. Otherwise, the valgrind findings are looking like red-herrings or the result of some off nominal code path in the GLIBC IO library.
> Uninit buf in WS write
> ----------------------
>
> Key: ASTERISK-24566
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24566
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_http_websocket
> Affects Versions: 11.14.1, 11.15.0
> Reporter: Badalian Vyacheslav
> Assignee: Richard Mudgett
> Severity: Critical
> Attachments: unbuff.txt
>
>
> Then WS drop connection, asterisk try write uninit buf.., in WS close and WS write
> WS Close valgrind:
> {code}
> ==50066== Thread 35:
> ==50066== Conditional jump or move depends on uninitialised value(s)
> ==50066== at 0x37C9E722CB: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:872)
> ==50066== by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==50066== by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==50066== by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==50066== by 0x59A62E: ast_careful_fwrite (utils.c:1403)
> ==50066== by 0x9F86F96: ast_websocket_close (res_http_websocket.c:211)
> ==50066== by 0x9F86B3B: session_destroy_fn (res_http_websocket.c:125)
> ==50066== by 0x44D123: internal_ao2_ref (astobj2.c:466)
> ==50066== by 0x44D444: __ao2_ref (astobj2.c:548)
> ==50066== by 0x9F872D9: ast_websocket_unref (res_http_websocket.c:288)
> ==50066== by 0x11245ACD: __sip_destroy (chan_sip.c:6487)
> ==50066== by 0x11246A92: sip_destroy (chan_sip.c:6688)
> ==50066== Uninitialised value was created by a stack allocation
> ==50066== at 0x9F86EA9: ast_websocket_close (res_http_websocket.c:193)
> ==50066==
> ==50066== Syscall param write(buf) points to uninitialised byte(s)
> ==50066== at 0x37C9EDB61D: ??? (syscall-template.S:82)
> ==50066== by 0x5891EC: tcptls_stream_write (tcptls.c:335)
> ==50066== by 0x37C9E66FD8: _IO_cookie_write (iofopncook.c:72)
> ==50066== by 0x37C9E73084: _IO_do_write@@GLIBC_2.2.5 (fileops.c:522)
> ==50066== by 0x37C9E723DE: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:881)
> ==50066== by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==50066== by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==50066== by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==50066== by 0x59A62E: ast_careful_fwrite (utils.c:1403)
> ==50066== by 0x9F86F96: ast_websocket_close (res_http_websocket.c:211)
> ==50066== by 0x9F86B3B: session_destroy_fn (res_http_websocket.c:125)
> ==50066== by 0x44D123: internal_ao2_ref (astobj2.c:466)
> ==50066== Address 0x6eb0e73 is 131 bytes inside a block of size 280 alloc'd
> ==50066== at 0x4A06A2E: malloc (vg_replace_malloc.c:270)
> ==50066== by 0x37C9E6718D: fopencookie@@GLIBC_2.2.5 (iofopncook.c:200)
> ==50066== by 0x5895DB: tcptls_stream_fopen (tcptls.c:506)
> ==50066== by 0x589895: handle_tcptls_connection (tcptls.c:592)
> ==50066== by 0x599DDB: dummy_start (utils.c:1192)
> ==50066== by 0x37CA2079D0: start_thread (pthread_create.c:301)
> ==50066== by 0x37C9EE89DC: clone (clone.S:115)
> ==50066== Uninitialised value was created by a stack allocation
> ==50066== at 0x9F86EA9: ast_websocket_close (res_http_websocket.c:193)
> ==50066==
> {code}
> WS Write valgrind
> {code}
> ==22077== Thread 29:
> ==22077== Conditional jump or move depends on uninitialised value(s)
> ==22077== at 0x37C9E722CB: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:872)
> ==22077== by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==22077== by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==22077== by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==22077== by 0x599927: ast_careful_fwrite (utils.c:1434)
> ==22077== by 0xA20B161: ast_websocket_write (res_http_websocket.c:256)
> ==22077== by 0x10FB0FB5: __sip_xmit (chan_sip.c:3731)
> ==22077== by 0x10FB4C30: send_response (chan_sip.c:4609)
> ==22077== by 0x10FD6D0A: __transmit_response (chan_sip.c:11957)
> ==22077== by 0x10FD740D: transmit_response (chan_sip.c:12047)
> ==22077== by 0x11025736: handle_request_bye (chan_sip.c:26884)
> ==22077== by 0x1102C46F: handle_incoming (chan_sip.c:28368)
> ==22077== by 0x1102CEC9: handle_request_do (chan_sip.c:28548)
> ==22077== by 0x10FAD4CD: sip_websocket_callback (chan_sip.c:2617)
> ==22077== by 0xA20CAA1: websocket_callback (res_http_websocket.c:681)
> ==22077== Uninitialised value was created by a stack allocation
> ==22077== at 0xA20AFB9: ast_websocket_write (res_http_websocket.c:220)
> ==22077==
> ==22077== Syscall param write(buf) points to uninitialised byte(s)
> ==22077== at 0x37C9EDB61D: ??? (syscall-template.S:82)
> ==22077== by 0x588414: tcptls_stream_write (tcptls.c:335)
> ==22077== by 0x37C9E66FD8: _IO_cookie_write (iofopncook.c:72)
> ==22077== by 0x37C9E73084: new_do_write (fileops.c:522)
> ==22077== by 0x37C9E73084: _IO_do_write@@GLIBC_2.2.5 (fileops.c:495)
> ==22077== by 0x37C9E723DE: _IO_file_overflow@@GLIBC_2.2.5 (fileops.c:881)
> ==22077== by 0x37C9E74638: _IO_default_xsputn (genops.c:485)
> ==22077== by 0x37C9E71791: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1372)
> ==22077== by 0x37C9E67A4C: fwrite (iofwrite.c:45)
> ==22077== by 0x599927: ast_careful_fwrite (utils.c:1434)
> ==22077== by 0xA20B161: ast_websocket_write (res_http_websocket.c:256)
> ==22077== by 0x10FB0FB5: __sip_xmit (chan_sip.c:3731)
> ==22077== by 0x10FB4C30: send_response (chan_sip.c:4609)
> ==22077== by 0x10FD6D0A: __transmit_response (chan_sip.c:11957)
> ==22077== by 0x10FD740D: transmit_response (chan_sip.c:12047)
> ==22077== by 0x11025736: handle_request_bye (chan_sip.c:26884)
> ==22077== Address 0x6187ca3 is 131 bytes inside a block of size 280 alloc'd
> ==22077== at 0x4A0720A: malloc (vg_replace_malloc.c:296)
> ==22077== by 0x37C9E6718D: fopencookie@@GLIBC_2.2.5 (iofopncook.c:200)
> ==22077== by 0x588803: tcptls_stream_fopen (tcptls.c:506)
> ==22077== by 0x588ABD: handle_tcptls_connection (tcptls.c:592)
> ==22077== by 0x5990D4: dummy_start (utils.c:1223)
> ==22077== by 0x37CA2079D0: start_thread (pthread_create.c:301)
> ==22077== by 0x37C9EE89DC: clone (clone.S:115)
> ==22077== Uninitialised value was created by a stack allocation
> ==22077== at 0xA20AFB9: ast_websocket_write (res_http_websocket.c:220)
> {code}
> VGDB backtrace caused by WS write attached.
> Also look to bug in init {{frame}} buf in ws write
> {code}
> - memset(frame, 0, sizeof(*frame));
> + memset(frame, 0, header_size);
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list