[sr-dev] Playing with Kamailio: passing invalid values without a quotes, segfaults, invalid casting, possible C code execution inside config, questions, etc...

Konstantin M. evilzluk at gmail.com
Sun Jan 20 22:21:19 CET 2013 

Hello,

While developing and testing my new application (app_java) I've experienced
a very wierd behaviour.

a simple line:
 ismethod(free(malloc(0)));
in kamailio config file produces a segfault:
 0(2227) ERROR: <core> [cfg.y:3455]: cfg. parser: failed to find command
malloc
 0(2227) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 640, column 25: unknown
command, missing loadmodule?


Program received signal SIGSEGV, Segmentation fault.
0x081defde in yyparse () at cfg.y:3480
3480                    if ($1 && mod_func_action->val[1].u.number <
MAX_ACTIONS-2) {
(gdb)


so, let's pass a very wierd values :-) :
See following:


here is a small code snippet:
----------
exported functions definition (params from 2 to 7): { "java_exec",
(cmd_function)java_exec, 7,   NULL, 0,       ANY_ROUTE },
function prototype: int java_exec(struct sip_msg *msg, char *method_name,
char *signature, char *p1, char *p2, char *p3, char *p4, char *p5);
----------

1)
 java_exec("test",
"Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;", "str1", "str2",
"str3");
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;", "str1", 5,
"str3");


 0(854) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;', params:
'str1', 'str2', 'str3', '(null)', '(null)'
 0(854) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;', params: 'str1', '5',
'str3', '(null)', '(null)'


2)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;B", "str1", 5,
"str3", 77);
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;B", "str1", 5,
"str3", 0x77);

 0(854) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;B', params: 'str1', '5',
'str3', '77', '(null)'
 0(877) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;B', params: 'str1', '5',
'str3', '119', '(null)'

 so, 77 is '77', 0x77 is '119' (hex conversion, ok)

3)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", true);
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", false);

 0(907) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', '5',
'str3', '1', '(null)'
 0(907) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', '5',
'str3', '0', '(null)'

 so, true is '1', false is '0'. What is it ?

4)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", TRUE);
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", FALSE);

 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 632, column 86: syntax error
 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 632, column 86: '('')'
expected (function call)
 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 633, column 87: syntax error
 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 633, column 87: '('')'
expected (function call)
ERROR: bad config file (4 errors)

5)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", is_method("INVITE"));

Program received signal SIGSEGV, Segmentation fault.
fix_rval_expr (p=p at entry=0xb55dad00) at rvalue.c:3791
3791                            return fix_rval(&rve->left.rval);
(gdb)

6)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", is_unknown_method("INVITE"));

Program received signal SIGSEGV, Segmentation fault.
0x081defde in yyparse () at cfg.y:3480
3480                    if ($1 && mod_func_action->val[1].u.number <
MAX_ACTIONS-2) {
(gdb)


7)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", nonexistent_value);

 0(1022) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: syntax error
 0(1022) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: '('')'
expected (function call)
ERROR: bad config file (2 errors)

8)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", nonexistent_function());

 0(1035) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: syntax error
 0(1035) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: '('')'
expected (function call)
 0(1035) ERROR: <core> [cfg.y:3455]: cfg. parser: failed to find command
nonexistent_function
 0(1035) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 635, column 103: unknown
command, missing loadmodule?


Program received signal SIGSEGV, Segmentation fault.
0x081defde in yyparse () at cfg.y:3480
3480                    if ($1 && mod_func_action->val[1].u.number <
MAX_ACTIONS-2) {
(gdb)


9)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", 7777777777777777777777777777777777);

 0(1368) ERROR: app_java [java_iface.c:81]: java_exec():
method_name='test', signature='Ljava/lang/String;ILjava/lang/String;Z',
params: 'str1', '5', 'str3', '2147483647', '(null)'

 so, 7777777777777777777777777777777777 is '2147483647' (INT_MAX)

10)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", 0x5 << 1);

 0(1392) ERROR: app_java [java_iface.c:81]: java_exec():
method_name='test', signature='Ljava/lang/String;ILjava/lang/String;Z',
params: 'str1', '5', 'str3', '10', '(null)'

----------------------------------
Creating a new function java_exec2 with int param:
exported function:     { "java_exec2", (cmd_function)java_exec2, 2,   NULL,
0,     ANY_ROUTE },
prototype: int java_exec2(struct sip_msg *msg, char *method_name, int
param);

 java_exec2("test", 5);

 0(1690) ERROR: app_java [java_mod.c:56]: java_exec2(): method_name='test',
params: '-1252293208'

 changing prototype to: int java_exec2(struct sip_msg *msg, char
*method_name, void *param);
 and trying to cast to (char*):

 0(1867) ERROR: app_java [java_mod.c:56]: java_exec2(): method_name='test',
params: '5'

 so, the params are being forcibly cast to (char *) ? Why the params aren't
void pointers ?

-------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130120/6efba4ff/attachment-0001.htm>

More information about the sr-dev mailing list