[sr-dev] Playing with Kamailio: passing invalid values without a quotes, segfaults, invalid casting, possible C code execution inside config, questions, etc...

Daniel-Constantin Mierla miconda at gmail.com
Sun Jan 20 23:21:18 CET 2013


Hello,

config file uses a special languaged, self made by the project. The 
parameters of config files used to be string only for most of the time, 
with fixup to convert to other types at startup -- some notes here:

- http://www.asipto.com/pub/kamailio-devel-guide/#c16cmd_function

Later, after kamailio-ser integration started, there are some options of 
giving parameters as integer, or even expressions in some cases -- an 
extension to config language started by Andrei Pelinescu-Onciul, which 
was not propagated to all functions, afaik.

So, in summary, yes, every parameter is expected as string unless 
special fixup function is used. If you get a core dump, provide the 
backtrace. Even the prameter is invalid, it should be detected and 
printed as error message, then exit. Anyhow, have in mind that config is 
not C or other generic purpose programming language.

Cheers,
Daniel

On 1/20/13 10:21 PM, Konstantin M. wrote:
> Hello,
>
> While developing and testing my new application (app_java) I've 
> experienced a very wierd behaviour.
>
> a simple line:
>  ismethod(free(malloc(0)));
> in kamailio config file produces a segfault:
>  0(2227) ERROR: <core> [cfg.y:3455]: cfg. parser: failed to find 
> command malloc
>  0(2227) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 640, column 25: unknown 
> command, missing loadmodule?
>
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x081defde in yyparse () at cfg.y:3480
> 3480                    if ($1 && mod_func_action->val[1].u.number < 
> MAX_ACTIONS-2) {
> (gdb)
>
>
> so, let's pass a very wierd values :-) :
> See following:
>
>
> here is a small code snippet:
> ----------
> exported functions definition (params from 2 to 7): { "java_exec", 
> (cmd_function)java_exec, 7,   NULL, 0,       ANY_ROUTE },
> function prototype: int java_exec(struct sip_msg *msg, char 
> *method_name, char *signature, char *p1, char *p2, char *p3, char *p4, 
> char *p5);
> ----------
>
> 1)
>  java_exec("test", 
> "Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;", "str1", 
> "str2", "str3");
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;", "str1", 5, 
> "str3");
>
>
>  0(854) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;', 
> params: 'str1', 'str2', 'str3', '(null)', '(null)'
>  0(854) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', signature='Ljava/lang/String;ILjava/lang/String;', 
> params: 'str1', '5', 'str3', '(null)', '(null)'
>
>
> 2)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;B", "str1", 
> 5, "str3", 77);
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;B", "str1", 
> 5, "str3", 0x77);
>
>  0(854) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;ILjava/lang/String;B', params: 'str1', 
> '5', 'str3', '77', '(null)'
>  0(877) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;ILjava/lang/String;B', params: 'str1', 
> '5', 'str3', '119', '(null)'
>
>  so, 77 is '77', 0x77 is '119' (hex conversion, ok)
>
> 3)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", true);
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", false);
>
>  0(907) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', 
> '5', 'str3', '1', '(null)'
>  0(907) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', 
> '5', 'str3', '0', '(null)'
>
>  so, true is '1', false is '0'. What is it ?
>
> 4)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", TRUE);
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", FALSE);
>
>  0(931) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 632, column 86: syntax error
>  0(931) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 632, column 86: '('')' 
> expected (function call)
>  0(931) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 633, column 87: syntax error
>  0(931) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 633, column 87: '('')' 
> expected (function call)
> ERROR: bad config file (4 errors)
>
> 5)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", is_method("INVITE"));
>
> Program received signal SIGSEGV, Segmentation fault.
> fix_rval_expr (p=p at entry=0xb55dad00) at rvalue.c:3791
> 3791                            return fix_rval(&rve->left.rval);
> (gdb)
>
> 6)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", is_unknown_method("INVITE"));
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x081defde in yyparse () at cfg.y:3480
> 3480                    if ($1 && mod_func_action->val[1].u.number < 
> MAX_ACTIONS-2) {
> (gdb)
>
>
> 7)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", nonexistent_value);
>
>  0(1022) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: syntax error
>  0(1022) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: '('')' 
> expected (function call)
> ERROR: bad config file (2 errors)
>
> 8)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", nonexistent_function());
>
>  0(1035) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: syntax error
>  0(1035) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: '('')' 
> expected (function call)
>  0(1035) ERROR: <core> [cfg.y:3455]: cfg. parser: failed to find 
> command nonexistent_function
>  0(1035) : <core> [cfg.y:3594]: parse error in config file 
> /opt/kamailio/etc/kamailio/kamailio.cfg, line 635, column 103: unknown 
> command, missing loadmodule?
>
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x081defde in yyparse () at cfg.y:3480
> 3480                    if ($1 && mod_func_action->val[1].u.number < 
> MAX_ACTIONS-2) {
> (gdb)
>
>
> 9)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", 7777777777777777777777777777777777);
>
>  0(1368) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', 
> '5', 'str3', '2147483647', '(null)'
>
>  so, 7777777777777777777777777777777777 is '2147483647' (INT_MAX)
>
> 10)
>  java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 
> 5, "str3", 0x5 << 1);
>
>  0(1392) ERROR: app_java [java_iface.c:81]: java_exec(): 
> method_name='test', 
> signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', 
> '5', 'str3', '10', '(null)'
>
> ----------------------------------
> Creating a new function java_exec2 with int param:
> exported function:     { "java_exec2", (cmd_function)java_exec2, 2,   
> NULL, 0,     ANY_ROUTE },
> prototype: int java_exec2(struct sip_msg *msg, char *method_name, int 
> param);
>
>  java_exec2("test", 5);
>
>  0(1690) ERROR: app_java [java_mod.c:56]: java_exec2(): 
> method_name='test', params: '-1252293208'
>
>  changing prototype to: int java_exec2(struct sip_msg *msg, char 
> *method_name, void *param);
>  and trying to cast to (char*):
>
>  0(1867) ERROR: app_java [java_mod.c:56]: java_exec2(): 
> method_name='test', params: '5'
>
>  so, the params are being forcibly cast to (char *) ? Why the params 
> aren't void pointers ?
>
> -------------------------------------------
>
>
>
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, April 16-17, 2013, Berlin
  - http://conference.kamailio.com -

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20130120/b7237b7d/attachment.htm>


More information about the sr-dev mailing list