[Devel] bug with security concerns

Elias Baixas elias.baixas at voztele.com
Mon Oct 23 12:41:04 CEST 2006

Hi all, I just found a bug in version 1.0.1 of OpenSER, in the postgres 
module. I know that version is outdated, but it has some security 
implications, so it maybe important to have it located and fix it in 
branch 1.0.X.
The function str2valp() uses a char buffer[256] to store a message that 
will later be printed to logs, this message is printed using sprintf, so 
if the value returned from the database is bigger than those 256 bytes, 
that drives to a stack overflow vulnerability with its security 
implications (DoS easily, and maybe arbitrary code execution in more 
unlikely situations).
Version 1.1.0 is not flawed by this bug, so I imagine someone must 
already be aware of this.
The default configuration of the postgres db used in OpenSER limits most 
of the fields to 128 or 255 characters (when created with 
scripts/postgresqldb.sh) so the vulnerability is not a concern if db's 
have been created this way.

In general, the common advice is not to use neither sprintf nor strcpy 
to avoid this kinds of dangerous bugs, and substitute them for snprintf 
and strncpy (which is almost always the case in openser code), as well 
as %s by %.*s

I hope it helps !

Elias Baixas

More information about the Devel mailing list