Summary: | ASTERISK-25715: [patch] ASAN:global-buffer-overflow pjsip | ||
Reporter: | Badalian Vyacheslav (slavon) | Labels: | |
Date Opened: | 2016-01-22 12:37:12.000-0600 | Date Closed: | 2016-10-30 13:41:44 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | pjproject/pjsip |
Versions: | 13.7.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | centos 7 x64 | Attachments: | ( 0) pj1.patch |
Description: | last master from
https://github.com/asterisk/pjproject/issues {code} *CLI> ================================================================= ==2372==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f2039991340 at pc 0x7f2039924381 bp 0x7f2031300b40 sp 0x7f2031300b30 READ of size 7 at 0x7f2039991340 thread T34 #0 0x7f2039924380 in pj_memcmp ../../pjlib/include/pj/string.h:682 #1 0x7f2039924380 in pjsip_method_init_np ../src/pjsip/sip_msg.c:254 #2 0x7f203992d602 in int_parse_req_line ../src/pjsip/sip_parser.c:1579 #3 0x7f203992d602 in int_parse_msg ../src/pjsip/sip_parser.c:975 #4 0x7f2039930cec in pjsip_parse_rdata ../src/pjsip/sip_parser.c:762 #5 0x7f203994e4f3 in pjsip_tpmgr_receive_packet ../src/pjsip/sip_transport.c:1768 #6 0x7f2039954bc0 in udp_on_read_complete ../src/pjsip/sip_transport_udp.c:175 #7 0x7f20375c74f9 in ioqueue_dispatch_read_event ../src/pj/ioqueue_common_abs.c:591 #8 0x7f20375cbdfa in pj_ioqueue_poll ../src/pj/ioqueue_select.c:966 #9 0x7f203993b4ea in pjsip_endpt_handle_events2 ../src/pjsip/sip_endpoint.c:741 #10 0x7f203a658576 in monitor_thread_exec /root/asterisk-13.7.0/res/res_pjsip.c:3555 #11 0x7f20375cea3d in thread_main ../src/pj/os_core_unix.c:541 #12 0x7f2045f0edc4 in start_thread (/lib64/libpthread.so.0+0x7dc4) #13 0x7f20451ee21c in clone (/lib64/libc.so.6+0xf621c) 0x7f2039991340 is located 99422720 bytes insideASAN:SIGSEGV ==2372==AddressSanitizer: while reporting a bug found another one.Ignoring. {code} | ||
Comments: | By: Asterisk Team (asteriskteam) 2016-01-22 12:37:13.692-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Badalian Vyacheslav (slavon) 2016-01-22 17:10:56.704-0600 {code} (gdb) bt #0 0x00007ffff6f07cf1 in __asan::DescribeAddressRelativeToGlobal(unsigned long, unsigned long, __asan_global const&) () from /lib64/libasan.so.2 #1 0x00007ffff6e93f01 in __asan::DescribeOrGetInfoIfGlobal(unsigned long, unsigned long, bool, __asan_global*) [clone .part.3] () from /lib64/libasan.so.2 #2 0x00007ffff6f090c1 in __asan::DescribeAddress(unsigned long, unsigned long) () from /lib64/libasan.so.2 #3 0x00007ffff6f0aa15 in __asan_report_error () from /lib64/libasan.so.2 #4 0x00007ffff6ee2bfb in memcmp () from /lib64/libasan.so.2 #5 0x00007fffede373c9 in pj_memcmp (size=<optimized out>, buf2=<optimized out>, buf1=<optimized out>) at ../../pjlib/include/pj/string.h:682 #6 pjsip_method_init_np (m=m@entry=0x62500ab8c428, str=str@entry=0x7fffe6833d70) at ../src/pjsip/sip_msg.c:254 #7 0x00007fffede3fdf1 in int_parse_req_line (req_line=0x62500ab8c428, pool=0x62100001e100, scanner=0x7fffe6833f70) at ../src/pjsip/sip_parser.c:1579 #8 int_parse_msg (ctx=ctx@entry=0x7fffe6833f30, err_list=err_list@entry=0x62500ab8c2f0) at ../src/pjsip/sip_parser.c:975 #9 0x00007fffede4241d in pjsip_parse_rdata ( buf=buf@entry=0x62500ab8b268 "OPTIONS sip:vm-asterisk04t:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.216.88.32:5060;branch=z9hG4bKghn3of302o6hf0d7c151\r\nCall-ID: fa8b37d79876df3d8a01421d6e16b9db0000072@10.216.88.32\r\nTo: sip:ping@vm-asterisk0"..., size=<optimized out>, rdata=rdata@entry=0x62500ab8b128) at ../src/pjsip/sip_parser.c:762 #10 0x00007fffede5c608 in pjsip_tpmgr_receive_packet (mgr=<optimized out>, rdata=rdata@entry=0x62500ab8b128) at ../src/pjsip/sip_transport.c:1768 #11 0x00007fffede642e1 in udp_on_read_complete (key=0x62b00000d218, op_key=<optimized out>, bytes_read=354) at ../src/pjsip/sip_transport_udp.c:175 #12 0x00007fffebcb40f9 in ioqueue_dispatch_read_event (ioqueue=ioqueue@entry=0x62800000b1c0, h=h@entry=0x62b00000d218) at ../src/pj/ioqueue_common_abs.c:591 #13 0x00007fffebcb829a in pj_ioqueue_poll (ioqueue=0x62800000b1c0, timeout=timeout@entry=0x7fffe6834c10) at ../src/pj/ioqueue_select.c:966 #14 0x00007fffede4b2fa in pjsip_endpt_handle_events2 (endpt=<optimized out>, max_timeout=max_timeout@entry=0x7fffe6834cb0, p_count=p_count@entry=0x0) at ../src/pjsip/sip_endpoint.c:741 #15 0x00007fffede4b4cc in pjsip_endpt_handle_events (endpt=<optimized out>, max_timeout=max_timeout@entry=0x7fffe6834cb0) at ../src/pjsip/sip_endpoint.c:769 #16 0x00007fffeeb591a7 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:3555 #17 0x00007fffebcbacde in thread_main (param=0x6190005b0a28) at ../src/pj/os_core_unix.c:541 #18 0x00007ffff537edc5 in start_thread () from /lib64/libpthread.so.0 #19 0x00007ffff465e21d in clone () from /lib64/libc.so.6 (gdb) f 6 #6 pjsip_method_init_np (m=m@entry=0x62500ab8c428, str=str@entry=0x7fffe6833d70) at ../src/pjsip/sip_msg.c:254 254 if (pj_memcmp(str->ptr, method_names[i]->ptr, str->slen)==0 || (gdb) p str->slen $1 = 7 (gdb) p str->ptr $2 = 0x62500ab8b268 "OPTIONS sip:vm-asterisk04t:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.216.88.32:5060;branch=z9hG4bKghn3of302o6hf0d7c151\r\nCall-ID: fa8b37d79876df3d8a01421d6e16b9db0000072@10.216.88.32\r\nTo: sip:ping@vm-asterisk0"... (gdb) p method_names[i]->ptr $3 = 0x7fffede97900 "ACK" (gdb) p i $4 = 2 (gdb) p str $5 = (pj_str_t *) 0x7fffe6833d70 (gdb) p *str $6 = { ptr = 0x62500ab8b268 "OPTIONS sip:vm-asterisk04t:5060 SIP/2.0\r\nVia: SIP/2.0/UDP 10.216.88.32:5060;branch=z9hG4bKghn3of302o6hf0d7c151\r\nCall-ID: fa8b37d79876df3d8a01421d6e16b9db0000072@10.216.88.32\r\nTo: sip:ping@vm-asterisk0"..., slen = 7} (gdb) p method_names $7 = {0x7fffee0b3288 <pjsip_invite_method+8>, 0x7fffee0b3248 <pjsip_cancel_method+8>, 0x7fffee0b3208 <pjsip_ack_method+8>, 0x7fffee0b31c8 <pjsip_bye_method+8>, 0x7fffee0b3188 <pjsip_register_method+8>, 0x7fffee0b3148 <pjsip_options_method+8>} (gdb) p method_names[i] $8 = (const pj_str_t * const) 0x7fffee0b3208 <pjsip_ack_method+8> (gdb) p *method_names[i] $9 = {ptr = 0x7fffede97900 "ACK", slen = 3} {code} Patch: <Removed> By: Joshua C. Colp (jcolp) 2016-01-25 08:16:44.090-0600 Please attach patches in all cases as attachments. By: Badalian Vyacheslav (slavon) 2016-01-28 11:29:34.887-0600 Patch for pjsip By: Badalian Vyacheslav (slavon) 2016-01-28 11:46:48.507-0600 i can't add patches to review board becouse develop servers don't have connection to internet :( By: Rusty Newton (rnewton) 2016-01-31 09:38:49.879-0600 I don't understand - if you can attach the patch here - why can't you attach it to Gerrit? Explain further and perhaps we can help. By: Badalian Vyacheslav (slavon) 2016-02-08 05:48:25.202-0600 Gerrit dont support add patch with Web UI (i dnot found in docs or UI). Servers in Datacenter does not have access to external network. I can't do {{git review}}. I have only ssh access to this servers. In most cases they are in draft status and show the place and the idea of a fix. But I'm not so familiar with your branches to all :( fixes stretch is shown only on the version where found. So I would consider my help as half the job done. |