| Summary: | ASTERISK-25722: ASAN & testsute: stack-buffer-overflow in sip_sipredirect | ||
| Reporter: | Badalian Vyacheslav (slavon) | Labels: | |
| Date Opened: | 2016-01-23 02:45:09.000-0600 | Date Closed: | 2016-01-25 11:50:52.000-0600 |
| Priority: | Minor | Regression? | |
| Status: | Closed/Complete | Components: | Channels/chan_sip/Security Framework |
| Versions: | 13.7.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Looks like security issue...
{code} ==16756==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff203abbe60 at pc 0x7ff237cfa208 bp 0x7ff203abb9c0 sp 0x7ff203abb148 WRITE of size 257 at 0x7ff203abbe60 thread T72 #0 0x7ff237cfa207 (/lib64/libasan.so.2+0x52207) #1 0x7ff237cfaf5a in __interceptor_vsscanf (/lib64/libasan.so.2+0x52f5a) #2 0x7ff237cfb0b9 in __interceptor_sscanf (/lib64/libasan.so.2+0x530b9) #3 0x7ff2275b48d8 in sip_sipredirect /root/asterisk-13.7.0/channels/chan_sip.c:32957 #4 0x7ff2274aedc7 in sip_transfer /root/asterisk-13.7.0/channels/chan_sip.c:7449 #5 0x5685c8 in ast_transfer /root/asterisk-13.7.0/main/channel.c:6182 #6 0x7ff2239fa857 in transfer_exec /root/asterisk-13.7.0/apps/app_transfer.c:121 #7 0x6d083c in pbx_exec /root/asterisk-13.7.0/main/pbx.c:1722 #8 0x6e7007 in pbx_extension_helper /root/asterisk-13.7.0/main/pbx.c:4994 #9 0x6ed147 in ast_spawn_extension /root/asterisk-13.7.0/main/pbx.c:6216 #10 0x6ef92c in __ast_pbx_run /root/asterisk-13.7.0/main/pbx.c:6633 #11 0x6f2050 in pbx_thread /root/asterisk-13.7.0/main/pbx.c:6953 #12 0x7eff7c in dummy_start /root/asterisk-13.7.0/main/utils.c:1237 #13 0x7ff2361badc4 in start_thread (/lib64/libpthread.so.0+0x7dc4) #14 0x7ff23549a21c in clone (/lib64/libc.so.6+0xf621c) {code} | ||
| Comments: | By: Asterisk Team (asteriskteam) 2016-01-23 02:45:12.361-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Corey Farrell (coreyfarrell) 2016-01-25 11:00:31.511-0600 Thanks for the report. I don't believe this is a security issue, but it is a bug so I will post a fix shortly. The stack buffer being written to is 256 characters long, the characters written past the buffer is just the NULL terminator. In the future please note this ticket tracker is public. Please take a look at the WIKI [Asterisk Security Vulnerabilities|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities] for information on reporting a security issue without publicly disclosing. By: Badalian Vyacheslav (slavon) 2016-01-25 11:40:38.899-0600 My mistake.... i don't look to {{%256}} and think that no limit to overflow... | ||