[sr-dev] [kamailio] Fix read buffer overflow in parse_hname2 (#308)

Chris Double notifications at github.com
Mon Aug 31 05:04:30 CEST 2015


Fix buffer overflow in READ call by making a SAFE_READ that checks
the actual length of the buffer.

In the buffer overflow case parse_hname2 is called with 'begin' set to
the string "Reason:". This string was originally allocated in in
rval_get_str as length 6, contents "Reason\0'. The actual pkg_malloc
is size of 7 to account for the null terminator.

In the caller to parse_hname2 (modules/textops/textops.c line 2229)
the null terminator is replaced with a ':' character.

parse_hname2 hits the FIRST_QUARTERNIONS macro which expands to a
bunch of case statements. The one for the Reason string looks like
(macro expanded):

       case _reas_:
        p += 4;
        val = READ(p);
        switch(LOWER_DWORD(val)) {
                case _on1_:
                        hdr->type = HDR_REASON_T;
                        hdr->name.len = 6;
                        return (p + 3);

The overflow occurs in the READ call. READ is:

    (*(val + 0) + (*(val + 1) << 8) + (*(val + 2) << 16) + (*(val + 3) << 24))

With 'p' pointing to "Reason:", then p+4 is "on:". That's only three
characters of allocated memory left(the : was originally the null
character as explained above and the total pkg_malloc allocated length
was 7). READ accesses 4 bytes so we go one past the end of the
allocated area.

The error is noticeable in a DBG_SYS_MALLOC build but not a PKG_MALLOC
build - I assume the latter has a large arena allocated making the
buffer overflow still valid memory.

There are likely other buffer overflows in the READ usage in other cases in this function. I've [posted to the mailing list](http://lists.sip-router.org/pipermail/sr-dev/2015-August/030529.html) about the issue and whether a more general fix is possible:


You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/308

-- Commit Summary --

  * Fix read buffer overflow in parse_hname2

-- File Changes --

    M parser/case_reas.h (2)
    M parser/parse_hname2.c (19)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/308.patch
https://github.com/kamailio/kamailio/pull/308.diff

---
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/308
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20150830/b4bbfd78/attachment.html>


More information about the sr-dev mailing list