[Devel] bug with security concerns

Elias Baixas elias.baixas at voztele.com
Fri Oct 27 18:47:12 CEST 2006 

Hi Bogdan & co-listers,

indeed, I checked all the other ocurrences of strcpy ant sprintf with 
cscope and none of them seemd dangerous, apart from the one in postgres.

best regards

(and see you soon in Berlin )

Elias

Bogdan-Andrei Iancu wrote:
> Hi Elias,
>
> yes, it is good point.
> even if 1.0.0 is an old version (the actual stable one is 1.1.0) we 
> will try to fix it as I guess there are people still using it.
>
> indeed, there are a lot f places (as Ron showed) where function 
> without size limit are used, but in some case, by doing there is no 
> way of a overflow (Ex: if I print an integer is a buffer of 12 chars, 
> for sure it will not overflow).
> But we should double check all of them to be sure.
>
> I will appreciate if you can upload this on the tracker to have it in 
> sight.
>
> Thanks and regards,
> Bogdan
>
> Elias Baixas wrote:
>
>> Hi all, I just found a bug in version 1.0.1 of OpenSER, in the 
>> postgres module. I know that version is outdated, but it has some 
>> security implications, so it maybe important to have it located and 
>> fix it in branch 1.0.X.
>> The function str2valp() uses a char buffer[256] to store a message 
>> that will later be printed to logs, this message is printed using 
>> sprintf, so if the value returned from the database is bigger than 
>> those 256 bytes, that drives to a stack overflow vulnerability with 
>> its security implications (DoS easily, and maybe arbitrary code 
>> execution in more unlikely situations).
>> Version 1.1.0 is not flawed by this bug, so I imagine someone must 
>> already be aware of this.
>> The default configuration of the postgres db used in OpenSER limits 
>> most of the fields to 128 or 255 characters (when created with 
>> scripts/postgresqldb.sh) so the vulnerability is not a concern if 
>> db's have been created this way.
>>
>> In general, the common advice is not to use neither sprintf nor 
>> strcpy to avoid this kinds of dangerous bugs, and substitute them for 
>> snprintf and strncpy (which is almost always the case in openser 
>> code), as well as %s by %.*s
>>
>> I hope it helps !
>>
>> Elias Baixas
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>
>
>

More information about the Devel mailing list