[Devel] bug with security concerns
bogdan at voice-system.ro
Fri Oct 27 17:31:47 CEST 2006
yes, it is good point.
even if 1.0.0 is an old version (the actual stable one is 1.1.0) we will
try to fix it as I guess there are people still using it.
indeed, there are a lot f places (as Ron showed) where function without
size limit are used, but in some case, by doing there is no way of a
overflow (Ex: if I print an integer is a buffer of 12 chars, for sure it
will not overflow).
But we should double check all of them to be sure.
I will appreciate if you can upload this on the tracker to have it in sight.
Thanks and regards,
Elias Baixas wrote:
> Hi all, I just found a bug in version 1.0.1 of OpenSER, in the
> postgres module. I know that version is outdated, but it has some
> security implications, so it maybe important to have it located and
> fix it in branch 1.0.X.
> The function str2valp() uses a char buffer to store a message
> that will later be printed to logs, this message is printed using
> sprintf, so if the value returned from the database is bigger than
> those 256 bytes, that drives to a stack overflow vulnerability with
> its security implications (DoS easily, and maybe arbitrary code
> execution in more unlikely situations).
> Version 1.1.0 is not flawed by this bug, so I imagine someone must
> already be aware of this.
> The default configuration of the postgres db used in OpenSER limits
> most of the fields to 128 or 255 characters (when created with
> scripts/postgresqldb.sh) so the vulnerability is not a concern if db's
> have been created this way.
> In general, the common advice is not to use neither sprintf nor strcpy
> to avoid this kinds of dangerous bugs, and substitute them for
> snprintf and strncpy (which is almost always the case in openser
> code), as well as %s by %.*s
> I hope it helps !
> Elias Baixas
> Devel mailing list
> Devel at openser.org
More information about the Devel