[asterisk-bugs] [JIRA] (ASTERISK-24472) Asterisk Crash in OpenSSL when calling over WSS from JSSIP

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Fri Nov 7 09:48:29 CST 2014 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223399#comment-223399 ] 

Badalian Vyacheslav commented on ASTERISK-24472:
------------------------------------------------

Hmmm... i maybe found logic bug in code.... look


{code}
                if (options_len) {
                        /* read the rest of the header options */
                        if (ws_safe_read(session, &buf[frame_size], options_len, opcode)) {
                                return 0;
                        }
                        frame_size += options_len;
                }

                if (*payload_len == 126) {
                        /* Grab the 2-byte payload length  */
                        *payload_len = ntohs(get_unaligned_uint16(&buf[2]));
                        mask = &buf[4];
                } else if (*payload_len == 127) {
                        /* Grab the 8-byte payload length  */
                        *payload_len = ntohl(get_unaligned_uint64(&buf[2]));
                        mask = &buf[10];
                } else {
                        /* Just set the mask after the small 2-byte header */
                        mask = &buf[2];
                }

                /* Now read the rest of the payload */
                *payload = &buf[frame_size]; /* payload will start here, at the end of the options, if any */
                frame_size = frame_size + (*payload_len); /* final frame size is header + optional headers + payload data */
{code}

- if (options_len) then - frame_size += options_len

but if look down to code - you try get *payload from   *payload = &buf[frame_size].... but frame_size now look to end of buffer.... and you anain up frame_size to payload_len

> Asterisk Crash in OpenSSL when calling over WSS from JSSIP
> ----------------------------------------------------------
>
>                 Key: ASTERISK-24472
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24472
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 11.13.1
>         Environment: Opera 20.0.1387.77.
> Use: DTLS, WSS, Valid SSL certificate
> Client - jssip 0.3.0 
>            Reporter: Badalian Vyacheslav
>            Assignee: Badalian Vyacheslav
>            Severity: Critical
>         Attachments: ASTERISK-24472-11-round-3.diff, ASTERISK-24472-websocket-read-bail-2.diff, backtrace2.txt, backtrace3.txt, backtrace_openssl_debug1.txt, backtrace_openssl_debug2.txt, backtrace_openssl_debug3.txt, backtrace_openssl_debug4.txt, backtrace_openssl_debug5.txt, backtrace.txt, valgrind2.txt, valgrind3.txt, valgrind4.txt, valgrind7.txt, valgrind.txt
>
>
> Valgrind and GDB backtrace (3 pices) attached bellow
> CentOS x86_64 release 6.6 (Final)
> OpenSSL> version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> # rpm -qa | grep openssl
> openssl-devel-1.0.1e-30.el6_6.2.x86_64
> openssl-debuginfo-1.0.1e-30.el6_6.2.x86_64
> openssl-1.0.1e-30.el6_6.2.x86_64



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list