sr-dev September 2015

sr-dev@lists.kamailio.org

37 participants
387 discussions

git:master:c078256b: Merge pull request #313 from vance-od/patch-1

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: c078256b927ae4b30ba9e5ae9595e5b2084dcdb6 URL: https://github.com/kamailio/kamailio/commit/c078256b927ae4b30ba9e5ae9595e5b… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-03T11:32:10+02:00 Merge pull request #313 from vance-od/patch-1 auth: fixed issue when during registration nonce expired, after backwards time shift --- Modified: modules/auth/nonce.c --- Diff: https://github.com/kamailio/kamailio/commit/c078256b927ae4b30ba9e5ae9595e5b… Patch: https://github.com/kamailio/kamailio/commit/c078256b927ae4b30ba9e5ae9595e5b… --- diff --git a/modules/auth/nonce.c b/modules/auth/nonce.c index 95b967e..025d0d7 100644 --- a/modules/auth/nonce.c +++ b/modules/auth/nonce.c @@ -357,7 +357,13 @@ int check_nonce(auth_body_t* auth, str* secret1, str* secret2, different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ - return 4; + /* if current time is less than start time, reset the start time + (e.g., after start, the system clock was set in the past) */ + t=time(0); + if (t < up_since) + up_since = t; + if (since < t) + return 4; } t=time(0); if (unlikely((since > t) && ((since-t) > nonce_auth_max_drift) )){

8 years, 8 months

git:master:063e32a8: Update nonce.c

by vance-od

Module: kamailio Branch: master Commit: 063e32a8fe81b2cfbaac0386e6b51446586e619a URL: https://github.com/kamailio/kamailio/commit/063e32a8fe81b2cfbaac0386e6b5144… Author: vance-od <vance(a)ukr.net> Committer: vance-od <vance(a)ukr.net> Date: 2015-09-03T11:43:37+03:00 Update nonce.c auth: fixed issue when during registration nonce expired, after backwards time shift --- Modified: modules/auth/nonce.c --- Diff: https://github.com/kamailio/kamailio/commit/063e32a8fe81b2cfbaac0386e6b5144… Patch: https://github.com/kamailio/kamailio/commit/063e32a8fe81b2cfbaac0386e6b5144… --- diff --git a/modules/auth/nonce.c b/modules/auth/nonce.c index 95b967e..025d0d7 100644 --- a/modules/auth/nonce.c +++ b/modules/auth/nonce.c @@ -357,7 +357,13 @@ int check_nonce(auth_body_t* auth, str* secret1, str* secret2, different length (for example because of different auth. checks).. Therefore we force credentials to be rebuilt by UAC without prompting for password */ - return 4; + /* if current time is less than start time, reset the start time + (e.g., after start, the system clock was set in the past) */ + t=time(0); + if (t < up_since) + up_since = t; + if (since < t) + return 4; } t=time(0); if (unlikely((since > t) && ((since-t) > nonce_auth_max_drift) )){

8 years, 8 months

[kamailio] auth: fixed issue when during registration nonce expired, after backwards time shift (#313)

by vance-od

You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/313 -- Commit Summary -- * Update nonce.c -- File Changes -- M modules/auth/nonce.c (8) -- Patch Links -- https://github.com/kamailio/kamailio/pull/313.patch https://github.com/kamailio/kamailio/pull/313.diff --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/313

8 years, 8 months

[kamailio] Fix read buffer overflow in parse_hname2 (#308)

by Chris Double

Fix buffer overflow in READ call by making a SAFE_READ that checks the actual length of the buffer. In the buffer overflow case parse_hname2 is called with 'begin' set to the string "Reason:". This string was originally allocated in in rval_get_str as length 6, contents "Reason\0'. The actual pkg_malloc is size of 7 to account for the null terminator. In the caller to parse_hname2 (modules/textops/textops.c line 2229) the null terminator is replaced with a ':' character. parse_hname2 hits the FIRST_QUARTERNIONS macro which expands to a bunch of case statements. The one for the Reason string looks like (macro expanded): case _reas_: p += 4; val = READ(p); switch(LOWER_DWORD(val)) { case _on1_: hdr->type = HDR_REASON_T; hdr->name.len = 6; return (p + 3); The overflow occurs in the READ call. READ is: (*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16) + (*(val + 3) << 24)) With 'p' pointing to "Reason:", then p+4 is "on:". That's only three characters of allocated memory left(the : was originally the null character as explained above and the total pkg_malloc allocated length was 7). READ accesses 4 bytes so we go one past the end of the allocated area. The error is noticeable in a DBG_SYS_MALLOC build but not a PKG_MALLOC build - I assume the latter has a large arena allocated making the buffer overflow still valid memory. There are likely other buffer overflows in the READ usage in other cases in this function. I've [posted to the mailing list](http://lists.sip-router.org/pipermail/sr-dev/2015-August/030529.html) about the issue and whether a more general fix is possible: You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/308 -- Commit Summary -- * Fix read buffer overflow in parse_hname2 -- File Changes -- M parser/case_reas.h (2) M parser/parse_hname2.c (19) -- Patch Links -- https://github.com/kamailio/kamailio/pull/308.patch https://github.com/kamailio/kamailio/pull/308.diff --- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/308

8 years, 8 months

git:master:2aa013d5: textopsx: use safer function to parse header name in short buffer

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 2aa013d5fb992be98fc1ec90abdf0d67625ab724 URL: https://github.com/kamailio/kamailio/commit/2aa013d5fb992be98fc1ec90abdf0d6… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-02T13:31:08+02:00 textopsx: use safer function to parse header name in short buffer --- Modified: modules/textopsx/textopsx.c --- Diff: https://github.com/kamailio/kamailio/commit/2aa013d5fb992be98fc1ec90abdf0d6… Patch: https://github.com/kamailio/kamailio/commit/2aa013d5fb992be98fc1ec90abdf0d6… --- diff --git a/modules/textopsx/textopsx.c b/modules/textopsx/textopsx.c index 6e21242..ba49aee 100644 --- a/modules/textopsx/textopsx.c +++ b/modules/textopsx/textopsx.c @@ -544,7 +544,7 @@ static int fixup_hname_param(char *hname, struct hname_data** h) { (*h)->hname.len = hname - (*h)->hname.s; savec = *hname; *hname = ':'; - parse_hname2((*h)->hname.s, (*h)->hname.s+(*h)->hname.len+3, &hdr); + parse_hname2_short((*h)->hname.s, (*h)->hname.s+(*h)->hname.len, &hdr); *hname = savec; if (hdr.type == HDR_ERROR_T) goto err;

8 years, 8 months

git:master:b62492e2: textops: use safer function to parse header name in short buffer

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: b62492e2e25984528e4cda7f96d7afee1425ceb3 URL: https://github.com/kamailio/kamailio/commit/b62492e2e25984528e4cda7f96d7afe… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-02T13:30:58+02:00 textops: use safer function to parse header name in short buffer --- Modified: modules/textops/textops.c --- Diff: https://github.com/kamailio/kamailio/commit/b62492e2e25984528e4cda7f96d7afe… Patch: https://github.com/kamailio/kamailio/commit/b62492e2e25984528e4cda7f96d7afe… --- diff --git a/modules/textops/textops.c b/modules/textops/textops.c index 7c5e2af..9aaada6 100644 --- a/modules/textops/textops.c +++ b/modules/textops/textops.c @@ -2226,8 +2226,7 @@ static int hname_fixup(void** param, int param_no) gp->v.str.s[gp->v.str.len] = ':'; gp->v.str.len++; - if (parse_hname2(gp->v.str.s, gp->v.str.s - + ((gp->v.str.len<4)?4:gp->v.str.len), &hdr)==0) + if (parse_hname2_short(gp->v.str.s, gp->v.str.s + gp->v.str.len, &hdr)==0) { LM_ERR("error parsing header name\n"); pkg_free(gp);

8 years, 8 months

git:master:a9dc0f73: pv: use safer function to parse header name in short buffer

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: a9dc0f738f448676b8a92818d442ca7142147f9b URL: https://github.com/kamailio/kamailio/commit/a9dc0f738f448676b8a92818d442ca7… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-02T13:30:46+02:00 pv: use safer function to parse header name in short buffer --- Modified: modules/pv/pv_core.c --- Diff: https://github.com/kamailio/kamailio/commit/a9dc0f738f448676b8a92818d442ca7… Patch: https://github.com/kamailio/kamailio/commit/a9dc0f738f448676b8a92818d442ca7… --- diff --git a/modules/pv/pv_core.c b/modules/pv/pv_core.c index 85b6351..9ce9da2 100644 --- a/modules/pv/pv_core.c +++ b/modules/pv/pv_core.c @@ -2820,7 +2820,7 @@ int pv_parse_hdr_name(pv_spec_p sp, str *in) s.s = p; s.len = in->len+1; - if (parse_hname2(s.s, s.s + ((s.len<4)?4:s.len), &hdr)==0) + if (parse_hname2_short(s.s, s.s + s.len, &hdr)==0) { LM_ERR("error parsing header name [%.*s]\n", s.len, s.s); goto error;

8 years, 8 months

git:master:baf90dba: core: select framework - use safer function to parse header name in short buffer

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: baf90dba5c12158386e501e73daa266321d9de38 URL: https://github.com/kamailio/kamailio/commit/baf90dba5c12158386e501e73daa266… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-02T13:29:43+02:00 core: select framework - use safer function to parse header name in short buffer --- Modified: select_core.c --- Diff: https://github.com/kamailio/kamailio/commit/baf90dba5c12158386e501e73daa266… Patch: https://github.com/kamailio/kamailio/commit/baf90dba5c12158386e501e73daa266… --- diff --git a/select_core.c b/select_core.c index d16f59d..a6e6901 100644 --- a/select_core.c +++ b/select_core.c @@ -619,7 +619,7 @@ int select_anyheader(str* res, select_t* s, struct sip_msg* msg) /* if header name is parseable, parse it and set SEL_PARAM_DIV */ c=s->params[2].v.s.s[s->params[2].v.s.len]; s->params[2].v.s.s[s->params[2].v.s.len]=':'; - if (parse_hname2(s->params[2].v.s.s,s->params[2].v.s.s+(s->params[2].v.s.len<3?4:s->params[2].v.s.len+1), + if (parse_hname2_short(s->params[2].v.s.s,s->params[2].v.s.s+(s->params[2].v.s.len<3?4:s->params[2].v.s.len+1), &hdr)==0) { LM_ERR("fixup_call:parse error\n"); return -1;

8 years, 8 months

git:master:ac27d053: parser: fixed the name for the new parse_hname2_short() function

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: ac27d053ce0d9d9295f3ca8052a320e0c0b01699 URL: https://github.com/kamailio/kamailio/commit/ac27d053ce0d9d9295f3ca8052a320e… Author: Daniel-Constantin Mierla <miconda(a)gmail.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-02T13:29:09+02:00 parser: fixed the name for the new parse_hname2_short() function --- Modified: parser/parse_hname2.h --- Diff: https://github.com/kamailio/kamailio/commit/ac27d053ce0d9d9295f3ca8052a320e… Patch: https://github.com/kamailio/kamailio/commit/ac27d053ce0d9d9295f3ca8052a320e… --- diff --git a/parser/parse_hname2.h b/parser/parse_hname2.h index d44abb7..fae4b56 100644 --- a/parser/parse_hname2.h +++ b/parser/parse_hname2.h @@ -36,6 +36,6 @@ * @file */ char* parse_hname2(char* const begin, const char* const end, struct hdr_field* const hdr); -char* parse_hname2_safe(char* const begin, const char* const end, struct hdr_field* const hdr); +char* parse_hname2_short(char* const begin, const char* const end, struct hdr_field* const hdr); #endif /* PARSE_HNAME2_H */

8 years, 8 months

git:master:964ed0a5: parser: fix overflow access when parsing Reason header stored in short buffer

by Daniel-Constantin Mierla

Module: kamailio Branch: master Commit: 964ed0a5083413eb0a70bd8a952d5a91ee9e9883 URL: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a9… Author: Chris Double <chris.double(a)double.co.nz> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2015-09-02T13:15:37+02:00 parser: fix overflow access when parsing Reason header stored in short buffer - it can happen for fixup functions from textops module having header name as a parameter, with critical impact when using system malloc, the internal pkg malloc does a roundup of the allocated space - the issue is caused by the word (4 bytes) read step performed by parse_hname2() - second 4-byte read in buffer "Reason:" exceeds the size by 1 - added a safe read macro that reads 1, 2 or 3 bytes if the size of the buffer is not big enough for a 4 bytes read --- Modified: parser/case_reas.h Modified: parser/parse_hname2.c --- Diff: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a9… Patch: https://github.com/kamailio/kamailio/commit/964ed0a5083413eb0a70bd8a952d5a9… --- diff --git a/parser/case_reas.h b/parser/case_reas.h index e6b8d97..5df0a9d 100644 --- a/parser/case_reas.h +++ b/parser/case_reas.h @@ -49,7 +49,7 @@ #define reas_CASE \ p += 4; \ - val = READ(p); \ + val = SAFE_READ(p, end - p); \ ON_CASE; \ goto other; diff --git a/parser/parse_hname2.c b/parser/parse_hname2.c index 42fb865..e4188a0 100644 --- a/parser/parse_hname2.c +++ b/parser/parse_hname2.c @@ -95,11 +95,26 @@ static inline char* skip_ws(char* p, unsigned int size) /*@} */ +#define SAFE_READ(val, len) \ +((len) == 1 ? READ1(val) : ((len) == 2 ? READ2(val) : ((len) == 3 ? READ3(val) : ((len) > 3 ? READ4(val) : READ0(val))))) + #define READ(val) \ -(*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16) + (*(val + 3) << 24)) +READ4(val) + +#define READ4(val) \ +(*((val) + 0) + (*((val) + 1) << 8) + (*((val) + 2) << 16) + (*((val) + 3) << 24)) #define READ3(val) \ -(*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16)) +(*((val) + 0) + (*((val) + 1) << 8) + (*((val) + 2) << 16)) + +#define READ2(val) \ +(*((val) + 0) + (*((val) + 1) << 8)) + +#define READ1(val) \ +(*((val) + 0)) + +#define READ0(val) \ +(0) #define FIRST_QUATERNIONS \ case _via1_: via1_CASE; \

8 years, 8 months

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev September 2015