[asterisk-bugs] [JIRA] (ASTERISK-24472) Asterisk Crash in OpenSSL when calling over WSS from JSSIP
Badalian Vyacheslav (JIRA)
noreply at issues.asterisk.org
Mon Nov 10 10:26:31 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223447#comment-223447 ]
Badalian Vyacheslav edited comment on ASTERISK-24472 at 11/10/14 10:26 AM:
---------------------------------------------------------------------------
{code}
- if (!(req.data = ast_str_create(payload_len + 1))) {
+ if (!(req.data = ast_str_create(payload_len))) {
goto end;
}
- if (ast_str_set(&req.data, -1, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
+ if (ast_str_set(&req.data, payload_len, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
deinit_req(&req);
goto end;
{code}
Please look to this code. Its may be secutrity bug!
if
- payload_len = 30
- paylad[0] = [some data of 30 bytes without '\0' at end]
- paylad[payload_len] = [some data of XXXX bytes] - this can be happened after realloc. We not shure that paylad[payload_len] is zero memory part.
and you do
- ast_str_set(&req.data, -1, "%s", payload)
WoW WoW WoW.... payload without '\0' now have lenght 30 + XXXX bytes.... and "-1" param.... its can be very very long string....
was (Author: slavon):
{code}
- if (!(req.data = ast_str_create(payload_len + 1))) {
+ if (!(req.data = ast_str_create(payload_len))) {
goto end;
}
- if (ast_str_set(&req.data, -1, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
+ if (ast_str_set(&req.data, payload_len, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
deinit_req(&req);
goto end;
{code}
Please look to this code. Its may be secutrity bug!
if
- payload_len = 30
- paylad[0] = [some data of 30 bytes without '\0' at end]
- paylad[payload_len] = [some data of XXXX bytes] - this can be happed after realloc. We not shure that paylad[payload_len] is zero memory part.
and you do
- ast_str_set(&req.data, -1, "%s", payload)
WoW WoW WoW.... payload without '\0' now have lenght 30 + XXXX bytes.... and "-1" param.... its can be very very long string....
> Asterisk Crash in OpenSSL when calling over WSS from JSSIP
> ----------------------------------------------------------
>
> Key: ASTERISK-24472
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24472
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_rtp_asterisk
> Affects Versions: 11.13.1
> Environment: Opera 20.0.1387.77.
> Use: DTLS, WSS, Valid SSL certificate
> Client - jssip 0.3.0
> Reporter: Badalian Vyacheslav
> Assignee: Badalian Vyacheslav
> Severity: Critical
> Attachments: ASTERISK-24472-11-round-3.diff, ASTERISK-24472-websocket-read-bail-2.diff, backtrace2.txt, backtrace3.txt, backtrace_openssl_debug1.txt, backtrace_openssl_debug2.txt, backtrace_openssl_debug3.txt, backtrace_openssl_debug4.txt, backtrace_openssl_debug5.txt, backtrace.txt, valgrind10.txt, valgrind2.txt, valgrind3.txt, valgrind4.txt, valgrind7.txt, valgrind.txt, ws_rewrite.diff
>
>
> Valgrind and GDB backtrace (3 pices) attached bellow
> CentOS x86_64 release 6.6 (Final)
> OpenSSL> version
> OpenSSL 1.0.1e-fips 11 Feb 2013
> # rpm -qa | grep openssl
> openssl-devel-1.0.1e-30.el6_6.2.x86_64
> openssl-debuginfo-1.0.1e-30.el6_6.2.x86_64
> openssl-1.0.1e-30.el6_6.2.x86_64
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list