[Devel] Buffer overlow in avpops_impl.c
Daniel-Constantin Mierla
daniel at voice-system.ro
Wed Jul 5 21:19:19 CEST 2006
Hello,
On 07/05/06 20:15, Walter Schober wrote:
> Hi!
>
> Yes, I do have the core and the sources. But from CVS version
> 20060515-141301.
> >From 20060629-181301 I found only the core.
>
first send me the backtrace. I may find the issue without the core.
gdb /path/to/openser core
bt
Cheers,
Daniel
> Br
> Walter
>
> -----Original Message-----
> From: Daniel-Constantin Mierla [mailto:daniel at voice-system.ro]
> Sent: Wednesday, July 05, 2006 7:07 PM
> To: Walter Schober
> Cc: devel at openser.org
> Subject: Re: [Devel] Buffer overlow in avpops_impl.c
>
> Hello,
>
> can you reproduce the crash and get a core file? Would be recommended to
> use the latest CVS version since there were some updates in the last
> days. Also, please send to me the backtrace and keep the sources,
> binaries and the core file, I might need them for further investigation
> - I will request you to post them for download on a ftp/http site, if it
> is the case.
>
> Cheers,
> Daniel
>
> On 07/05/06 19:47, Walter Schober wrote:
>
>> Hi!
>>
>> Any reason, to not increase
>> #define STR_BUF_SIZE 1024
>> to 2048 in avpops_impl.c?
>>
>> If openser (openser-devel-cvs-20060629-181301 snapshot) get's this
>>
> message:
>
>> -----
>> INVITE
>>
>>
> sip:05557654321 at 111.22.33.131:5060;transport=udp;x-orig=11.222.111.65:5060;x
>
>> -orig-nat=192.168.41.52:5060 SIP/2.0
>> Via: SIP/2.0/UDP 111.22.33.130:5084;branch=z9hG4bKOxqv17W1xHQZ_pF;rport
>> Via: SIP/2.0/UDP 111.22.33.131;branch=z9hG4bK8cf5.c5f8b7a.0
>> Via: SIP/2.0/UDP
>>
>>
> 192.168.41.32:5060;received=11.222.111.65;branch=z9hG4bK8bef7daae;rport=1026
>
>> From: "MTA1 Scientific Atlanta"
>> <sip:05551234567 at test.neotel.at>;tag=77c36a54bb929cf
>> To: "05557654321" <sip:05557654321 at test.neotel.at>
>> Call-ID: 80eb766f68cf86b4684e3aadb9f66899 at 192.168.41.32
>> CSeq: 1106478969 INVITE
>> Max-Forwards: 68
>> Supported: timer,replaces
>> Allow: NOTIFY,REFER,OPTIONS,INVITE,ACK,CANCEL,BYE
>> Contact: "05551234567"
>>
>>
> <sip:05551234567 at 111.22.33.131:5060;x-orig=11.222.111.65:1026;x-orig-nat=192
>
>> .168.41.32:5060>
>> Content-Length: 483
>> Content-Type: application/sdp
>> Record-Route: <sip:111.22.33.130:5084;lr>
>> Record-Route: <sip:111.22.33.131;lr;ftag=77c36a54bb929cf>
>> User-Agent: Brcm-Callctrl/v1.7.2.2 MxSF/v3.6.2.5
>> Privacy: none
>>
>> v=0
>> o=MxSIP 0 1123886028 IN IP4 192.168.41.32
>> s=SIP Call
>> c=IN IP4 111.22.33.136
>> t=0 0
>> m=audio 35384 RTP/AVP 0 8 101
>> a=rtpmap:0 PCMU/8000
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 144,149,159,0-15
>> a=ptime:20
>> a=sendrecv
>> a=silenceSupp:off - - - -
>> a=sqn: 0
>> a=cdsc: 1 audio RTP/AVP 0 8 101
>> a=cpar: a=rtpmap:0 PCMU/8000
>> a=cpar: a=rtpmap:8 PCMA/8000
>> a=cpar: a=rtpmap:101 telephone-event/8000
>> a=cpar: a=fmtp:101 144,149,159,0-15
>> a=nortpproxy:yes
>> ------
>>
>> And does:
>> if (uri==myself) {
>> if (avp_check("$ru", "re/x-orig=.*x-orig-nat/ig")) {
>>
>> Openser crashed in ops_check_avp():
>> cycle1:
>> /* copy string since pseudo-variables uses static buffer */
>> if(flags&AVP_VAL_STR)
>> {
>> if(avp_val.s.len>=STR_BUF_SIZE)
>> {
>> LOG(L_ERR,
>> "avpops:ops_check_avp: error src value too
>> long\n");
>> goto error;
>> }
>> strcpy(str_buf, avp_val.s.s);
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> At this strcpy.
>>
>> Strange: It was this message only. Any other client (!) sending any other
>> messages run fine.
>>
>> srv01:/home/schoberw# wc test.txt
>> 39 104 1486 test.txt
>>
>> Br
>> Walter
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>>
>>
>
>
>
>
More information about the Devel
mailing list