[Devel] bug with security concerns
elias.baixas at voztele.com
Mon Oct 23 12:41:04 CEST 2006
Hi all, I just found a bug in version 1.0.1 of OpenSER, in the postgres
module. I know that version is outdated, but it has some security
implications, so it maybe important to have it located and fix it in
The function str2valp() uses a char buffer to store a message that
will later be printed to logs, this message is printed using sprintf, so
if the value returned from the database is bigger than those 256 bytes,
that drives to a stack overflow vulnerability with its security
implications (DoS easily, and maybe arbitrary code execution in more
Version 1.1.0 is not flawed by this bug, so I imagine someone must
already be aware of this.
The default configuration of the postgres db used in OpenSER limits most
of the fields to 128 or 255 characters (when created with
scripts/postgresqldb.sh) so the vulnerability is not a concern if db's
have been created this way.
In general, the common advice is not to use neither sprintf nor strcpy
to avoid this kinds of dangerous bugs, and substitute them for snprintf
and strncpy (which is almost always the case in openser code), as well
as %s by %.*s
I hope it helps !
More information about the Devel