[Devel] Buffer overlow in avpops_impl.c

Walter Schober walter.schober at neotel.at
Wed Jul 5 18:47:56 CEST 2006 

Hi!

Any reason, to not increase 
#define STR_BUF_SIZE  1024
to 2048 in avpops_impl.c?

If openser (openser-devel-cvs-20060629-181301 snapshot) get's this message:
-----
INVITE
sip:05557654321 at 111.22.33.131:5060;transport=udp;x-orig=11.222.111.65:5060;x
-orig-nat=192.168.41.52:5060 SIP/2.0
Via: SIP/2.0/UDP 111.22.33.130:5084;branch=z9hG4bKOxqv17W1xHQZ_pF;rport
Via: SIP/2.0/UDP 111.22.33.131;branch=z9hG4bK8cf5.c5f8b7a.0
Via: SIP/2.0/UDP
192.168.41.32:5060;received=11.222.111.65;branch=z9hG4bK8bef7daae;rport=1026
From: "MTA1 Scientific Atlanta"
<sip:05551234567 at test.neotel.at>;tag=77c36a54bb929cf
To: "05557654321" <sip:05557654321 at test.neotel.at>
Call-ID: 80eb766f68cf86b4684e3aadb9f66899 at 192.168.41.32
CSeq: 1106478969 INVITE
Max-Forwards: 68
Supported: timer,replaces
Allow: NOTIFY,REFER,OPTIONS,INVITE,ACK,CANCEL,BYE
Contact: "05551234567"
<sip:05551234567 at 111.22.33.131:5060;x-orig=11.222.111.65:1026;x-orig-nat=192
.168.41.32:5060>
Content-Length: 483
Content-Type: application/sdp
Record-Route: <sip:111.22.33.130:5084;lr>
Record-Route: <sip:111.22.33.131;lr;ftag=77c36a54bb929cf>
User-Agent: Brcm-Callctrl/v1.7.2.2 MxSF/v3.6.2.5
Privacy: none

v=0
o=MxSIP 0 1123886028 IN IP4 192.168.41.32
s=SIP Call
c=IN IP4 111.22.33.136
t=0 0
m=audio 35384 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 144,149,159,0-15
a=ptime:20
a=sendrecv
a=silenceSupp:off - - - -
a=sqn: 0
a=cdsc: 1 audio RTP/AVP 0 8 101 
a=cpar: a=rtpmap:0 PCMU/8000
a=cpar: a=rtpmap:8 PCMA/8000
a=cpar: a=rtpmap:101 telephone-event/8000
a=cpar: a=fmtp:101 144,149,159,0-15
a=nortpproxy:yes
------

And does:
        if (uri==myself) {
                if (avp_check("$ru", "re/x-orig=.*x-orig-nat/ig")) {

Openser crashed in ops_check_avp():
cycle1:
        /* copy string since pseudo-variables uses static buffer */
        if(flags&AVP_VAL_STR)
        {
                if(avp_val.s.len>=STR_BUF_SIZE)
                {
                        LOG(L_ERR,
                                "avpops:ops_check_avp: error src value too
long\n");
                        goto error;
                }
                strcpy(str_buf, avp_val.s.s);
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              At this strcpy.

Strange: It was this message only. Any other client (!) sending any other
messages run fine.

srv01:/home/schoberw# wc test.txt
  39  104 1486 test.txt

Br
Walter

More information about the Devel mailing list