[asterisk-bugs] [JIRA] (ASTERISK-25722) ASAN & testsute: stack-buffer-overflow in sip_sipredirect

Corey Farrell (JIRA) noreply at issues.asterisk.org
Mon Jan 25 11:01:32 CST 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=229171#comment-229171 ] 

Corey Farrell commented on ASTERISK-25722:
------------------------------------------

Thanks for the report.  I don't believe this is a security issue, but it is a bug so I will post a fix shortly.  The stack buffer being written to is 256 characters long, the characters written past the buffer is just the NULL terminator.

In the future please note this ticket tracker is public.  Please take a look at the WIKI [Asterisk Security Vulnerabilities|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities] for information on reporting a security issue without publicly disclosing.

> ASAN & testsute: stack-buffer-overflow in sip_sipredirect
> ---------------------------------------------------------
>
>                 Key: ASTERISK-25722
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25722
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 13.7.0
>            Reporter: Badalian Vyacheslav
>            Severity: Minor
>
> Looks like security issue... 
> {code}
> ==16756==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff203abbe60 at pc 0x7ff237cfa208 bp 0x7ff203abb9c0 sp 0x7ff203abb148
> WRITE of size 257 at 0x7ff203abbe60 thread T72
>     #0 0x7ff237cfa207  (/lib64/libasan.so.2+0x52207)
>     #1 0x7ff237cfaf5a in __interceptor_vsscanf (/lib64/libasan.so.2+0x52f5a)
>     #2 0x7ff237cfb0b9 in __interceptor_sscanf (/lib64/libasan.so.2+0x530b9)
>     #3 0x7ff2275b48d8 in sip_sipredirect /root/asterisk-13.7.0/channels/chan_sip.c:32957
>     #4 0x7ff2274aedc7 in sip_transfer /root/asterisk-13.7.0/channels/chan_sip.c:7449
>     #5 0x5685c8 in ast_transfer /root/asterisk-13.7.0/main/channel.c:6182
>     #6 0x7ff2239fa857 in transfer_exec /root/asterisk-13.7.0/apps/app_transfer.c:121
>     #7 0x6d083c in pbx_exec /root/asterisk-13.7.0/main/pbx.c:1722
>     #8 0x6e7007 in pbx_extension_helper /root/asterisk-13.7.0/main/pbx.c:4994
>     #9 0x6ed147 in ast_spawn_extension /root/asterisk-13.7.0/main/pbx.c:6216
>     #10 0x6ef92c in __ast_pbx_run /root/asterisk-13.7.0/main/pbx.c:6633
>     #11 0x6f2050 in pbx_thread /root/asterisk-13.7.0/main/pbx.c:6953
>     #12 0x7eff7c in dummy_start /root/asterisk-13.7.0/main/utils.c:1237
>     #13 0x7ff2361badc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
>     #14 0x7ff23549a21c in clone (/lib64/libc.so.6+0xf621c)
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list