ASTERISK-26873: realtime_odbc: heap-buffer-overflow in SQLGetData

[Home]

Summary: ASTERISK-26873: realtime_odbc: heap-buffer-overflow in SQLGetData

Reporter: Badalian Vyacheslav (slavon) Labels:

Date Opened: 2017-03-14 16:06:13 Date Closed: 2020-01-14 11:14:07.000-0600

Priority: Minor Regression?

Status: Closed/Complete Components:

Versions: 13.14.0 Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) bt.txt

Description: {code}
=================================================================
==16938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000160975 at pc 0x7fbb2500bff3 bp 0x7fbae98966b0 sp 0x7fbae9895e58
READ of size 22 at 0x606000160975 thread T153
#0 0x7fbb2500bff2 (/lib64/libasan.so.3+0x3cff2)
#1 0x7fbb1a2fbee5 in SQLGetData (/usr/lib64/libmyodbc5a.so+0x5fee5)
#2 0x7fbb1b544d66 in SQLGetData (/lib64/libodbc.so.2+0x19d66)
#3 0x7fbb13913ec6 in realtime_odbc /home/pbs.vbadalyan/asterisk-13.14.0/res/res_config_odbc.c:261
#4 0x5a6c6f in ast_load_realtime_all_fields /home/pbs.vbadalyan/asterisk-13.14.0/main/config.c:3257
#5 0x5a76db in ast_load_realtime_fields /home/pbs.vbadalyan/asterisk-13.14.0/main/config.c:3291
#6 0x5a76db in ast_load_realtime /home/pbs.vbadalyan/asterisk-13.14.0/main/config.c:3340
#7 0x7fbaef2e21a4 in realtime_peer_by_name /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5439
#8 0x7fbaef2e21a4 in realtime_peer /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5626
#9 0x7fbaef2e21a4 in sip_find_peer_full /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5741
#10 0x7fbaef2e2e68 in sip_find_peer /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5780
#11 0x7fbaef3412ff in register_verify /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:17628
#12 0x7fbaef345fee in handle_request_register /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:28467
#13 0x7fbaef345fee in handle_incoming /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:28775
#14 0x7fbaef34ac4a in handle_request_do /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:28943
#15 0x7fbaef34e10e in sip_websocket_callback /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:2659
#16 0x7fbb0d13abf4 in __ast_websocket_uri_cb /home/pbs.vbadalyan/asterisk-13.14.0/res/res_http_websocket.c:905
#17 0x63cb05 in handle_uri /home/pbs.vbadalyan/asterisk-13.14.0/main/http.c:1482
#18 0x63cb05 in httpd_process_request /home/pbs.vbadalyan/asterisk-13.14.0/main/http.c:1906
#19 0x63d599 in httpd_helper_thread /home/pbs.vbadalyan/asterisk-13.14.0/main/http.c:1993
#20 0x7930cf in handle_tcptls_connection /home/pbs.vbadalyan/asterisk-13.14.0/main/tcptls.c:742
#21 0x7b212f in dummy_start /home/pbs.vbadalyan/asterisk-13.14.0/main/utils.c:1235
#22 0x7fbb22e83dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
#23 0x7fbb2216373c in clone (/lib64/libc.so.6+0xf773c)
{code}

some effect with mysql-connector-odbc-5.3.7-1.el7.x86_64 and mysql-connector-odbc-5.3.6-1.el7.x86_64

Comments: By: Asterisk Team (asteriskteam) 2017-03-14 16:06:14.206-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Badalian Vyacheslav (slavon) 2017-03-14 16:32:20.500-0500

Full BT
By: Badalian Vyacheslav (slavon) 2017-03-14 16:36:46.280-0500

i try change 128 to SQL_BUF_SIZE in
{code}
struct ast_str *rowdata = ast_str_thread_get(&rowdata_buf, SQL_BUF_SIZE);
{code}

but it's not help

{code}
(gdb) p *rowdata
$35 = {len = 1024, used = 0, ts = 0x7fffe640e320 <rowdata_buf>, str = 0x6190008d0998 ""}

(gdb) p sizeof(rowdata->str)
$30 = 0
{code}
By: Badalian Vyacheslav (slavon) 2017-03-14 18:16:11.149-0500

crash in mysql odbc driver here:

/usr/src/debug/mysql-connector-odbc-5.3.7-src/driver/results.c:1508
{code}
1505 /* catalog functions with "fake" results won't have lengths */
1506 length= irrec->row.datalen;
1507 if (!length && stmt->current_values[sColNum])
1508 length= strlen(stmt->current_values[sColNum]);
{code}

{code}
(gdb) p sColNum
$48 = 14
{code}

if i do {{p strlen(stmt->current_values[sColNum])}} it's crash
By: Badalian Vyacheslav (slavon) 2017-03-14 19:03:49.784-0500

This happens when the field is set to NULL. Not just for varchar. Enum also behave. If you set the values, then everything goes well.
By: Badalian Vyacheslav (slavon) 2017-03-14 19:33:31.312-0500

https://bugs.mysql.com/bug.php?id=85454
By: Joshua C. Colp (jcolp) 2017-03-15 08:26:18.198-0500

I don't understand your latest comments. Are you stating that the problem is in the MySQL ODBC connector?
By: Asterisk Team (asteriskteam) 2017-03-29 12:00:01.901-0500

Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1].

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines