[asterisk-bugs] [JIRA] (ASTERISK-25857) func_aes: incorrect use of strlen() leads to data corruption

Joshua Colp (JIRA) noreply at issues.asterisk.org
Mon Apr 25 16:49:03 CDT 2016


     [ https://issues.asterisk.org/jira/browse/ASTERISK-25857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Colp updated ASTERISK-25857:
-----------------------------------

    Target Release Version/s: 13.9.0

> func_aes: incorrect use of strlen() leads to data corruption
> ------------------------------------------------------------
>
>                 Key: ASTERISK-25857
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25857
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Functions/func_aes
>    Affects Versions: 11.21.2, 13.6.0, 13.7.2
>            Reporter: Gianluca Merlo
>      Target Release: 11.22.0, 13.9.0
>
>
> Hello,
> I tried to use {{AES_ENCRYPT}}/{{AES_DECRYPT}} from {{func_aes}} for reasons similar to the ones in issue leading to their addition (ASTERISK-13422).
> In my case, the integrity of data passing through was fortunately monitored by validating their format. On all versions I tried, I observed that some of the data seemed "corrupted". I took interest in the issue, and ran encryption/decription stress tests by placing a call to a dialplan snippet such as:
> {noformat}
> exten => _[a-zA-Z0-9].,1,Noop
>     same => n,Set(KEY=abcdefghijklmnop)
>     same => n,Ringing()
>     same => n,Wait(5)
>     same => n,Answer()
>     same => n,Set(TIMEOUT(absolute)=120)
>     same => n,Set(cycles=0)
>     same => n,While($[ ${INC(cycles)} < 10000 ])
>         same => n,Set(original=${RAND()}:${RAND()}:${RAND()}:${RAND()})
>         same => n,Set(crypt=${AES_ENCRYPT(${KEY},${original})})
>         same => n,GotoIf($[ ${LEN(${crypt})} > 0 ]?decrypt)
>         same => n,Log(NOTICE,TEST is NULL - orig <${original}> crypt <${crypt}> decrypt <>)
>         same => n,ContinueWhile()
>         same => n(decrypt),Set(decrypt=${AES_DECRYPT(${KEY},${crypt})})
>         same => n,GotoIf($[ "${original}" = "${decrypt}" ]?ok)
>         same => n,Log(NOTICE,TEST is FAIL - orig <${original}> crypt <${crypt}> decrypt <${decrypt}>)
>         same => n,ContinueWhile()
>         same => n(ok),Log(NOTICE,TEST is GOOD - orig <${original}> crypt <${crypt}> decrypt <${decrypt}>)
>     same => n,EndWhile()
>     same => n,Hangup()
> {noformat}
> experiencing a consistent number of failures. Due to their nature, I looked at the code for {{func_aes}} and supposedly found the problem in the misuse of {{strlen}}. This is used to get the length of the data to encode in base64 in {{AES_ENCRYPT}}, but the data therein is binary, thus {{strlen}} will underestimate it at the first NULL character found:
> {code}
> ast_base64encode(buf, (unsigned char *) tmp, strlen(tmp), len);
> {code}
> A more correct estimation, IMHO, can be obtained by evaluating the offset reached by the write pointer
> {code}
> ast_base64encode(buf, (unsigned char *) tmp, tmpP - tmp, len);
> {code}
> code patched this way seems to work fine when stressed test with random data. I am submitting the patch for code review on Gerrit.
> As a fun fact, similar pitfalls were discussed in the original code review at https://reviewboard.asterisk.org/r/128/.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list