[Devel] Buffer overlow in avpops_impl.c

Walter Schober walter.schober at neotel.at
Wed Jul 5 19:15:40 CEST 2006 

Hi!

Yes, I do have the core and the sources. But from CVS version
20060515-141301.
>From 20060629-181301 I found only the core.

Br
Walter

-----Original Message-----
From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro] 
Sent: Wednesday, July 05, 2006 7:07 PM
To: Walter Schober
Cc: devel at openser.org
Subject: Re: [Devel] Buffer overlow in avpops_impl.c

Hello,

can you reproduce the crash and get a core file? Would be recommended to 
use the latest CVS version since there were some updates in the last 
days. Also, please send to me the backtrace and keep the sources, 
binaries and the core file, I might need them for further investigation 
- I will request you to post them for download on a ftp/http site, if it 
is the case.

Cheers,
Daniel

On 07/05/06 19:47, Walter Schober wrote:
> Hi!
>
> Any reason, to not increase 
> #define STR_BUF_SIZE  1024
> to 2048 in avpops_impl.c?
>
> If openser (openser-devel-cvs-20060629-181301 snapshot) get's this
message:
> -----
> INVITE
>
sip:05557654321 at 111.22.33.131:5060;transport=udp;x-orig=11.222.111.65:5060;x
> -orig-nat=192.168.41.52:5060 SIP/2.0
> Via: SIP/2.0/UDP 111.22.33.130:5084;branch=z9hG4bKOxqv17W1xHQZ_pF;rport
> Via: SIP/2.0/UDP 111.22.33.131;branch=z9hG4bK8cf5.c5f8b7a.0
> Via: SIP/2.0/UDP
>
192.168.41.32:5060;received=11.222.111.65;branch=z9hG4bK8bef7daae;rport=1026
> From: "MTA1 Scientific Atlanta"
> <sip:05551234567 at test.neotel.at>;tag=77c36a54bb929cf
> To: "05557654321" <sip:05557654321 at test.neotel.at>
> Call-ID: 80eb766f68cf86b4684e3aadb9f66899 at 192.168.41.32
> CSeq: 1106478969 INVITE
> Max-Forwards: 68
> Supported: timer,replaces
> Allow: NOTIFY,REFER,OPTIONS,INVITE,ACK,CANCEL,BYE
> Contact: "05551234567"
>
<sip:05551234567 at 111.22.33.131:5060;x-orig=11.222.111.65:1026;x-orig-nat=192
> .168.41.32:5060>
> Content-Length: 483
> Content-Type: application/sdp
> Record-Route: <sip:111.22.33.130:5084;lr>
> Record-Route: <sip:111.22.33.131;lr;ftag=77c36a54bb929cf>
> User-Agent: Brcm-Callctrl/v1.7.2.2 MxSF/v3.6.2.5
> Privacy: none
>
> v=0
> o=MxSIP 0 1123886028 IN IP4 192.168.41.32
> s=SIP Call
> c=IN IP4 111.22.33.136
> t=0 0
> m=audio 35384 RTP/AVP 0 8 101
> a=rtpmap:0 PCMU/8000
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 144,149,159,0-15
> a=ptime:20
> a=sendrecv
> a=silenceSupp:off - - - -
> a=sqn: 0
> a=cdsc: 1 audio RTP/AVP 0 8 101 
> a=cpar: a=rtpmap:0 PCMU/8000
> a=cpar: a=rtpmap:8 PCMA/8000
> a=cpar: a=rtpmap:101 telephone-event/8000
> a=cpar: a=fmtp:101 144,149,159,0-15
> a=nortpproxy:yes
> ------
>
> And does:
>         if (uri==myself) {
>                 if (avp_check("$ru", "re/x-orig=.*x-orig-nat/ig")) {
>
> Openser crashed in ops_check_avp():
> cycle1:
>         /* copy string since pseudo-variables uses static buffer */
>         if(flags&AVP_VAL_STR)
>         {
>                 if(avp_val.s.len>=STR_BUF_SIZE)
>                 {
>                         LOG(L_ERR,
>                                 "avpops:ops_check_avp: error src value too
> long\n");
>                         goto error;
>                 }
>                 strcpy(str_buf, avp_val.s.s);
>               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>               At this strcpy.
>
> Strange: It was this message only. Any other client (!) sending any other
> messages run fine.
>
> srv01:/home/schoberw# wc test.txt
>   39  104 1486 test.txt
>
> Br
> Walter
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>
>

More information about the Devel mailing list