[asterisk-bugs] [JIRA] (ASTERISK-25715) ASAN:global-buffer-overflow pjsip

Badalian Vyacheslav (JIRA) noreply at issues.asterisk.org
Fri Jan 22 17:12:33 CST 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=229134#comment-229134 ] 

Badalian Vyacheslav commented on ASTERISK-25715:
------------------------------------------------

{code}
(gdb) bt
#0  0x00007ffff6f07cf1 in __asan::DescribeAddressRelativeToGlobal(unsigned long, unsigned long, __asan_global const&) () from /lib64/libasan.so.2
#1  0x00007ffff6e93f01 in __asan::DescribeOrGetInfoIfGlobal(unsigned long, unsigned long, bool, __asan_global*) [clone .part.3] () from /lib64/libasan.so.2
#2  0x00007ffff6f090c1 in __asan::DescribeAddress(unsigned long, unsigned long) () from /lib64/libasan.so.2
#3  0x00007ffff6f0aa15 in __asan_report_error () from /lib64/libasan.so.2
#4  0x00007ffff6ee2bfb in memcmp () from /lib64/libasan.so.2
#5  0x00007fffede373c9 in pj_memcmp (size=<optimized out>, buf2=<optimized out>, buf1=<optimized out>) at ../../pjlib/include/pj/string.h:682
#6  pjsip_method_init_np (m=m at entry=0x62500ab8c428, str=str at entry=0x7fffe6833d70) at ../src/pjsip/sip_msg.c:254
#7  0x00007fffede3fdf1 in int_parse_req_line (req_line=0x62500ab8c428, pool=0x62100001e100, scanner=0x7fffe6833f70) at ../src/pjsip/sip_parser.c:1579
#8  int_parse_msg (ctx=ctx at entry=0x7fffe6833f30, err_list=err_list at entry=0x62500ab8c2f0) at ../src/pjsip/sip_parser.c:975
#9  0x00007fffede4241d in pjsip_parse_rdata (
    buf=buf at entry=0x62500ab8b268 "OPTIONS sip:vm-asterisk04t:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.216.88.32:5060;branch=z9hG4bKghn3of302o6hf0d7c151\r\nCall-ID: fa8b37d79876df3d8a01421d6e16b9db0000072 at 10.216.88.32\r\nTo: sip:ping at vm-asterisk0"..., size=<optimized out>, rdata=rdata at entry=0x62500ab8b128) at ../src/pjsip/sip_parser.c:762
#10 0x00007fffede5c608 in pjsip_tpmgr_receive_packet (mgr=<optimized out>, rdata=rdata at entry=0x62500ab8b128) at ../src/pjsip/sip_transport.c:1768
#11 0x00007fffede642e1 in udp_on_read_complete (key=0x62b00000d218, op_key=<optimized out>, bytes_read=354) at ../src/pjsip/sip_transport_udp.c:175
#12 0x00007fffebcb40f9 in ioqueue_dispatch_read_event (ioqueue=ioqueue at entry=0x62800000b1c0, h=h at entry=0x62b00000d218) at ../src/pj/ioqueue_common_abs.c:591
#13 0x00007fffebcb829a in pj_ioqueue_poll (ioqueue=0x62800000b1c0, timeout=timeout at entry=0x7fffe6834c10) at ../src/pj/ioqueue_select.c:966
#14 0x00007fffede4b2fa in pjsip_endpt_handle_events2 (endpt=<optimized out>, max_timeout=max_timeout at entry=0x7fffe6834cb0, p_count=p_count at entry=0x0) at ../src/pjsip/sip_endpoint.c:741
#15 0x00007fffede4b4cc in pjsip_endpt_handle_events (endpt=<optimized out>, max_timeout=max_timeout at entry=0x7fffe6834cb0) at ../src/pjsip/sip_endpoint.c:769
#16 0x00007fffeeb591a7 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:3555
#17 0x00007fffebcbacde in thread_main (param=0x6190005b0a28) at ../src/pj/os_core_unix.c:541
#18 0x00007ffff537edc5 in start_thread () from /lib64/libpthread.so.0
#19 0x00007ffff465e21d in clone () from /lib64/libc.so.6
(gdb) f 6
#6  pjsip_method_init_np (m=m at entry=0x62500ab8c428, str=str at entry=0x7fffe6833d70) at ../src/pjsip/sip_msg.c:254
254             if (pj_memcmp(str->ptr, method_names[i]->ptr, str->slen)==0 ||
(gdb) p str->slen
$1 = 7
(gdb) p str->ptr
$2 = 0x62500ab8b268 "OPTIONS sip:vm-asterisk04t:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.216.88.32:5060;branch=z9hG4bKghn3of302o6hf0d7c151\r\nCall-ID: fa8b37d79876df3d8a01421d6e16b9db0000072 at 10.216.88.32\r\nTo: sip:ping at vm-asterisk0"...
(gdb) p method_names[i]->ptr
$3 = 0x7fffede97900 "ACK"
(gdb) p i
$4 = 2
(gdb) p str
$5 = (pj_str_t *) 0x7fffe6833d70
(gdb) p *str
$6 = {
  ptr = 0x62500ab8b268 "OPTIONS sip:vm-asterisk04t:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.216.88.32:5060;branch=z9hG4bKghn3of302o6hf0d7c151\r\nCall-ID: fa8b37d79876df3d8a01421d6e16b9db0000072 at 10.216.88.32\r\nTo: sip:ping at vm-asterisk0"...,
  slen = 7}
(gdb) p method_names
$7 = {0x7fffee0b3288 <pjsip_invite_method+8>, 0x7fffee0b3248 <pjsip_cancel_method+8>, 0x7fffee0b3208 <pjsip_ack_method+8>, 0x7fffee0b31c8 <pjsip_bye_method+8>, 0x7fffee0b3188 <pjsip_register_method+8>,
  0x7fffee0b3148 <pjsip_options_method+8>}
(gdb) p method_names[i]
$8 = (const pj_str_t * const) 0x7fffee0b3208 <pjsip_ack_method+8>
(gdb) p *method_names[i]
$9 = {ptr = 0x7fffede97900 "ACK", slen = 3}
{code}

Patch:
{code}
--- pjsip/src/pjsip/sip_msg.c.bal       2016-01-23 01:01:19.502670330 +0300
+++ pjsip/src/pjsip/sip_msg.c   2016-01-23 01:03:18.365812210 +0300
@@ -251,7 +251,7 @@
 {
     unsigned i;
     for (i=0; i<PJ_ARRAY_SIZE(method_names); ++i) {
-       if (pj_memcmp(str->ptr, method_names[i]->ptr, str->slen)==0 ||
+       if (pj_memcmp(str->ptr, method_names[i]->ptr, (str->slen < method_names[i]->slen ? str->slen : method_names[i]->slen))==0 ||
            pj_stricmp(str, method_names[i])==0)
        {
            m->id = (pjsip_method_e)i;

{code}

> ASAN:global-buffer-overflow pjsip
> ---------------------------------
>
>                 Key: ASTERISK-25715
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25715
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 13.7.0
>         Environment: centos 7 x64
>            Reporter: Badalian Vyacheslav
>
> last master from
> https://github.com/asterisk/pjproject/issues
> {code}
> *CLI> =================================================================
> ==2372==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f2039991340 at pc 0x7f2039924381 bp 0x7f2031300b40 sp 0x7f2031300b30
> READ of size 7 at 0x7f2039991340 thread T34
>     #0 0x7f2039924380 in pj_memcmp ../../pjlib/include/pj/string.h:682
>     #1 0x7f2039924380 in pjsip_method_init_np ../src/pjsip/sip_msg.c:254
>     #2 0x7f203992d602 in int_parse_req_line ../src/pjsip/sip_parser.c:1579
>     #3 0x7f203992d602 in int_parse_msg ../src/pjsip/sip_parser.c:975
>     #4 0x7f2039930cec in pjsip_parse_rdata ../src/pjsip/sip_parser.c:762
>     #5 0x7f203994e4f3 in pjsip_tpmgr_receive_packet ../src/pjsip/sip_transport.c:1768
>     #6 0x7f2039954bc0 in udp_on_read_complete ../src/pjsip/sip_transport_udp.c:175
>     #7 0x7f20375c74f9 in ioqueue_dispatch_read_event ../src/pj/ioqueue_common_abs.c:591
>     #8 0x7f20375cbdfa in pj_ioqueue_poll ../src/pj/ioqueue_select.c:966
>     #9 0x7f203993b4ea in pjsip_endpt_handle_events2 ../src/pjsip/sip_endpoint.c:741
>     #10 0x7f203a658576 in monitor_thread_exec /root/asterisk-13.7.0/res/res_pjsip.c:3555
>     #11 0x7f20375cea3d in thread_main ../src/pj/os_core_unix.c:541
>     #12 0x7f2045f0edc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
>     #13 0x7f20451ee21c in clone (/lib64/libc.so.6+0xf621c)
> 0x7f2039991340 is located 99422720 bytes insideASAN:SIGSEGV
> ==2372==AddressSanitizer: while reporting a bug found another one.Ignoring.
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list