[asterisk-bugs] [JIRA] (ASTERISK-25857) func_aes: incorrect use of strlen() leads to data corruption
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Tue Mar 22 15:42:57 CDT 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-25857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-25857:
-------------------------------------
Target Release Version/s: 11.22.0
> func_aes: incorrect use of strlen() leads to data corruption
> ------------------------------------------------------------
>
> Key: ASTERISK-25857
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-25857
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Functions/func_aes
> Affects Versions: 11.21.2, 13.6.0, 13.7.2
> Reporter: Gianluca Merlo
> Target Release: 11.22.0
>
>
> Hello,
> I tried to use {{AES_ENCRYPT}}/{{AES_DECRYPT}} from {{func_aes}} for reasons similar to the ones in issue leading to their addition (ASTERISK-13422).
> In my case, the integrity of data passing through was fortunately monitored by validating their format. On all versions I tried, I observed that some of the data seemed "corrupted". I took interest in the issue, and ran encryption/decription stress tests by placing a call to a dialplan snippet such as:
> {noformat}
> exten => _[a-zA-Z0-9].,1,Noop
> same => n,Set(KEY=abcdefghijklmnop)
> same => n,Ringing()
> same => n,Wait(5)
> same => n,Answer()
> same => n,Set(TIMEOUT(absolute)=120)
> same => n,Set(cycles=0)
> same => n,While($[ ${INC(cycles)} < 10000 ])
> same => n,Set(original=${RAND()}:${RAND()}:${RAND()}:${RAND()})
> same => n,Set(crypt=${AES_ENCRYPT(${KEY},${original})})
> same => n,GotoIf($[ ${LEN(${crypt})} > 0 ]?decrypt)
> same => n,Log(NOTICE,TEST is NULL - orig <${original}> crypt <${crypt}> decrypt <>)
> same => n,ContinueWhile()
> same => n(decrypt),Set(decrypt=${AES_DECRYPT(${KEY},${crypt})})
> same => n,GotoIf($[ "${original}" = "${decrypt}" ]?ok)
> same => n,Log(NOTICE,TEST is FAIL - orig <${original}> crypt <${crypt}> decrypt <${decrypt}>)
> same => n,ContinueWhile()
> same => n(ok),Log(NOTICE,TEST is GOOD - orig <${original}> crypt <${crypt}> decrypt <${decrypt}>)
> same => n,EndWhile()
> same => n,Hangup()
> {noformat}
> experiencing a consistent number of failures. Due to their nature, I looked at the code for {{func_aes}} and supposedly found the problem in the misuse of {{strlen}}. This is used to get the length of the data to encode in base64 in {{AES_ENCRYPT}}, but the data therein is binary, thus {{strlen}} will underestimate it at the first NULL character found:
> {code}
> ast_base64encode(buf, (unsigned char *) tmp, strlen(tmp), len);
> {code}
> A more correct estimation, IMHO, can be obtained by evaluating the offset reached by the write pointer
> {code}
> ast_base64encode(buf, (unsigned char *) tmp, tmpP - tmp, len);
> {code}
> code patched this way seems to work fine when stressed test with random data. I am submitting the patch for code review on Gerrit.
> As a fun fact, similar pitfalls were discussed in the original code review at https://reviewboard.asterisk.org/r/128/.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list