[asterisk-bugs] [JIRA] (ASTERISK-24472) Asterisk Crash in OpenSSL when calling over WSS from JSSIP

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Mon Nov 10 10:22:29 CST 2014


    [ https://issues.asterisk.org/jira/browse/ASTERISK-24472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223447#comment-223447 ] 

Badalian Vyacheslav commented on ASTERISK-24472:
------------------------------------------------

{code}
-			if (!(req.data = ast_str_create(payload_len + 1))) {
+			if (!(req.data = ast_str_create(payload_len))) {
 				goto end;
 			}
 
-			if (ast_str_set(&req.data, -1, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
+			if (ast_str_set(&req.data, payload_len, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
 				deinit_req(&req);
 				goto end;
{code}

Please look to this code. Its may be secutrity bug!

if 
- payload_len = 30
- paylad_data[0] = [some data of 30 bytes without '\0' at end] 
- paylad_data[payload_len] = [some data of XXXX bytes]  - this can be happed after realloc.  We not shure that paylad_data[payload_len] is zero memory part.
 
and you do
- ast_str_set(&req.data, -1, "%s", payload) 
WoW WoW WoW.... payload without '\0' now have lenght 30 + XXXX bytes.... and "-1" param.... its can be very very long string....




> Asterisk Crash in OpenSSL when calling over WSS from JSSIP
> ----------------------------------------------------------
>
>                 Key: ASTERISK-24472
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24472
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_rtp_asterisk
>    Affects Versions: 11.13.1
>         Environment: Opera 20.0.1387.77.
> Use: DTLS, WSS, Valid SSL certificate
> Client - jssip 0.3.0 
>            Reporter: Badalian Vyacheslav
>            Assignee: Badalian Vyacheslav
>            Severity: Critical
>         Attachments: ASTERISK-24472-11-round-3.diff, ASTERISK-24472-websocket-read-bail-2.diff, backtrace2.txt, backtrace3.txt, backtrace_openssl_debug1.txt, backtrace_openssl_debug2.txt, backtrace_openssl_debug3.txt, backtrace_openssl_debug4.txt, backtrace_openssl_debug5.txt, backtrace.txt, valgrind10.txt, valgrind2.txt, valgrind3.txt, valgrind4.txt, valgrind7.txt, valgrind.txt, ws_rewrite.diff
>
>
> Valgrind and GDB backtrace (3 pices) attached bellow
> CentOS x86_64 release 6.6 (Final)
> OpenSSL> version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> # rpm -qa | grep openssl
> openssl-devel-1.0.1e-30.el6_6.2.x86_64
> openssl-debuginfo-1.0.1e-30.el6_6.2.x86_64
> openssl-1.0.1e-30.el6_6.2.x86_64



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list