[asterisk-bugs] [JIRA] (ASTERISK-24963) ASAN: heap-use-after-free with PJSIP and WSS

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Tue Apr 14 09:58:32 CDT 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=225894#comment-225894 ] 

Badalian Vyacheslav edited comment on ASTERISK-24963 at 4/14/15 9:58 AM:
-------------------------------------------------------------------------

Another one place in simple call to WSS

{code}[2015-04-14 17:56:43] DEBUG[12119]: threadpool.c:968 worker_thread_destroy: Destroying worker thread 1
[2015-04-14 17:56:43] DEBUG[12123]: threadpool.c:1107 worker_idle: Worker thread idle timeout reached. Dying.
[2015-04-14 17:56:43] DEBUG[12119]: threadpool.c:968 worker_thread_destroy: Destroying worker thread 2
[2015-04-14 17:56:46] DEBUG[12147]: pjsip:0 <?>:        sip_endpoint.c Processing incoming message: Request msg REGISTER/cseq=83 (rdata0x62200000da80)
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:172 ast_sockaddr_split_hostport: Splitting '172.30.0.154:65511' into...
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:226 ast_sockaddr_split_hostport: ...host '172.30.0.154' and port '65511'.
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:172 ast_sockaddr_split_hostport: Splitting '172.30.0.154:65511' into...
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:226 ast_sockaddr_split_hostport: ...host '172.30.0.154' and port '65511'.
[2015-04-14 17:56:46] DEBUG[12147]: res_pjsip_transport_websocket.c:333 websocket_on_rx_msg: Re-wrote Contact URI host/port to 172.30.0.154:65511
[2015-04-14 17:56:46] DEBUG[12147]: pjsip:0 <?>:        sip_endpoint.c Distributing rdata to modules: Request msg REGISTER/cseq=83 (rdata0x62500003c128)
[2015-04-14 17:56:46] DEBUG[12147]: res_pjsip_endpoint_identifier_ip.c:128 ip_identify: No identify sections to match against
[2015-04-14 17:56:46] DEBUG[12147]: res_pjsip_endpoint_identifier_user.c:104 username_identify: Retrieved endpoint user66_stub
[2015-04-14 17:56:46] DEBUG[12147]: pjsip:0 <?>:              endpoint .Response msg 401/REGISTER/cseq=83 (tdta0x621000074500) created
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:172 ast_sockaddr_split_hostport: Splitting '172.30.0.154' into...
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:226 ast_sockaddr_split_hostport: ...host '172.30.0.154' and port ''.
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:172 ast_sockaddr_split_hostport: Splitting '172.30.0.154' into...
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:226 ast_sockaddr_split_hostport: ...host '172.30.0.154' and port ''.
[2015-04-14 17:56:46] DEBUG[12190]: taskprocessor.c:484 tps_taskprocessor_destroy: destroying taskprocessor '50868fb1-ad83-47be-bb17-f52d3655a755'
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:172 ast_sockaddr_split_hostport: Splitting '172.30.0.154:65511' into...
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:226 ast_sockaddr_split_hostport: ...host '172.30.0.154' and port '65511'.
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:172 ast_sockaddr_split_hostport: Splitting '172.30.0.154:65511' into...
[2015-04-14 17:56:46] DEBUG[12147]: netsock2.c:226 ast_sockaddr_split_hostport: ...host '172.30.0.154' and port '65511'.
  == WebSocket connection from '172.30.0.154:65511' closed
=================================================================
==12117==ERROR: AddressSanitizer: heap-use-after-free on address 0x62200000da80 at pc 0x7f72a5266ca6 bp 0x7f72ba4a3b50 sp 0x7f72ba4a3b48
READ of size 8 at 0x62200000da80 thread T34
    #0 0x7f72a5266ca5 in ws_destroy /home/obs/asterisk-13.3.2/res/res_pjsip_transport_websocket.c:93
    #1 0x7f72c1b7f575 in destroy_transport (/usr/lib/libpjsip.so.2+0x1d575)
    #2 0x7f72c1b81b1e in pjsip_transport_destroy (/usr/lib/libpjsip.so.2+0x1fb1e)
    #3 0x7f72c024cc96 in pj_timer_heap_poll (/usr/lib/libpj.so.2+0x1dc96)
    #4 0x7f72c1b7b0ca in pjsip_endpt_handle_events2 (/usr/lib/libpjsip.so.2+0x190ca)
    #5 0x7f72bdcc0356 in monitor_thread_exec /home/obs/asterisk-13.3.2/res/res_pjsip.c:3170
    #6 0x7f72c023ddf5 in thread_main (/usr/lib/libpj.so.2+0xedf5)
    #7 0x31a3e079d0 in start_thread (/lib64/libpthread.so.0+0x31a3e079d0)
    #8 0x31a36e88fc in clone (/lib64/libc.so.6+0x31a36e88fc)

0x62200000da80 is located 107889578525472 bytes inside
{code}


was (Author: slavon):
Another one place in simple call to WSS

{code}
==21478==ERROR: AddressSanitizer: heap-use-after-free on address 0x62200000da80 at pc 0x7f1d9bcc1ca6 bp 0x7f1db0b4cb50 sp 0x7f1db0b4cb48
READ of size 8 at 0x62200000da80 thread T34
    #0 0x7f1d9bcc1ca5 in ws_destroy /home/obs/asterisk-13.3.2/res/res_pjsip_transport_websocket.c:93
    #1 0x7f1db8217575 in destroy_transport (/usr/lib/libpjsip.so.2+0x1d575)
    #2 0x7f1db8219b1e in pjsip_transport_destroy (/usr/lib/libpjsip.so.2+0x1fb1e)
    #3 0x7f1db68e4c96 in pj_timer_heap_poll (/usr/lib/libpj.so.2+0x1dc96)
    #4 0x7f1db82130ca in pjsip_endpt_handle_events2 (/usr/lib/libpjsip.so.2+0x190ca)
    #5 0x7f1db4369356 in monitor_thread_exec /home/obs/asterisk-13.3.2/res/res_pjsip.c:3170
    #6 0x7f1db68d5df5 in thread_main (/usr/lib/libpj.so.2+0xedf5)
    #7 0x31a3e079d0 in start_thread (/lib64/libpthread.so.0+0x31a3e079d0)
    #8 0x31a36e88fc in clone (/lib64/libc.so.6+0x31a36e88fc)

0x62200000da80 is located 107889578525472 bytes inside
{code}

> ASAN: heap-use-after-free with PJSIP and WSS
> --------------------------------------------
>
>                 Key: ASTERISK-24963
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24963
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip, Resources/res_http_websocket
>    Affects Versions: 13.3.2
>            Reporter: Badalian Vyacheslav
>
> {code}
> =================================================================
> ==20692==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200016c594 at pc 0x4956e0 bp 0x7f4dea2566a0 sp 0x7f4dea256698
> READ of size 4 at 0x61200016c594 thread T29
>     #0 0x4956df in INTERNAL_OBJ /home/obs/asterisk-13.3.2/main/astobj2.c:121
>     #1 0x4957b9 in __ao2_lock /home/obs/asterisk-13.3.2/main/astobj2.c:151
>     #2 0x7f4df41a2a90 in __ast_websocket_write /home/obs/asterisk-13.3.2/res/res_http_websocket.c:303
>     #3 0x7f4ddbf62352 in ws_send_msg /home/obs/asterisk-13.3.2/res/res_pjsip_transport_websocket.c:67
>     #4 0x7f4df84ba473 in pjsip_transport_send (/usr/lib/libpjsip.so.2+0x1e473)
>     #5 0x7f4df84b8104 in pjsip_endpt_send_response (/usr/lib/libpjsip.so.2+0x1c104)
>     #6 0x7f4df84b81eb in pjsip_endpt_send_response2 (/usr/lib/libpjsip.so.2+0x1c1eb)
>     #7 0x7f4df462d424 in authenticate res_pjsip/pjsip_distributor.c:317
>     #8 0x7f4df84b533a in pjsip_endpt_process_rx_data (/usr/lib/libpjsip.so.2+0x1933a)
>     #9 0x7f4df462c0dc in distribute res_pjsip/pjsip_distributor.c:348
>     #10 0x7c9a37 in ast_taskprocessor_execute /home/obs/asterisk-13.3.2/main/taskprocessor.c:769
>     #11 0x7d9a50 in threadpool_execute /home/obs/asterisk-13.3.2/main/threadpool.c:351
>     #12 0x7dce68 in worker_active /home/obs/asterisk-13.3.2/main/threadpool.c:1075
>     #13 0x7dca5c in worker_start /home/obs/asterisk-13.3.2/main/threadpool.c:995
>     #14 0x7f9646 in dummy_start /home/obs/asterisk-13.3.2/main/utils.c:1232
>     #15 0x31a3e079d0 in start_thread (/lib64/libpthread.so.0+0x31a3e079d0)
>     #16 0x31a36e88fc in clone (/lib64/libc.so.6+0x31a36e88fc)
> 0x61200016c594 is located 106790068334132 bytes inside
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list