Summary: | ASTERISK-26873: realtime_odbc: heap-buffer-overflow in SQLGetData | ||
Reporter: | Badalian Vyacheslav (slavon) | Labels: | |
Date Opened: | 2017-03-14 16:06:13 | Date Closed: | 2020-01-14 11:14:07.000-0600 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | |
Versions: | 13.14.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) bt.txt | |
Description: | {code}
================================================================= ==16938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000160975 at pc 0x7fbb2500bff3 bp 0x7fbae98966b0 sp 0x7fbae9895e58 READ of size 22 at 0x606000160975 thread T153 #0 0x7fbb2500bff2 (/lib64/libasan.so.3+0x3cff2) #1 0x7fbb1a2fbee5 in SQLGetData (/usr/lib64/libmyodbc5a.so+0x5fee5) #2 0x7fbb1b544d66 in SQLGetData (/lib64/libodbc.so.2+0x19d66) #3 0x7fbb13913ec6 in realtime_odbc /home/pbs.vbadalyan/asterisk-13.14.0/res/res_config_odbc.c:261 #4 0x5a6c6f in ast_load_realtime_all_fields /home/pbs.vbadalyan/asterisk-13.14.0/main/config.c:3257 #5 0x5a76db in ast_load_realtime_fields /home/pbs.vbadalyan/asterisk-13.14.0/main/config.c:3291 #6 0x5a76db in ast_load_realtime /home/pbs.vbadalyan/asterisk-13.14.0/main/config.c:3340 #7 0x7fbaef2e21a4 in realtime_peer_by_name /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5439 #8 0x7fbaef2e21a4 in realtime_peer /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5626 #9 0x7fbaef2e21a4 in sip_find_peer_full /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5741 #10 0x7fbaef2e2e68 in sip_find_peer /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:5780 #11 0x7fbaef3412ff in register_verify /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:17628 #12 0x7fbaef345fee in handle_request_register /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:28467 #13 0x7fbaef345fee in handle_incoming /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:28775 #14 0x7fbaef34ac4a in handle_request_do /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:28943 #15 0x7fbaef34e10e in sip_websocket_callback /home/pbs.vbadalyan/asterisk-13.14.0/channels/chan_sip.c:2659 #16 0x7fbb0d13abf4 in __ast_websocket_uri_cb /home/pbs.vbadalyan/asterisk-13.14.0/res/res_http_websocket.c:905 #17 0x63cb05 in handle_uri /home/pbs.vbadalyan/asterisk-13.14.0/main/http.c:1482 #18 0x63cb05 in httpd_process_request /home/pbs.vbadalyan/asterisk-13.14.0/main/http.c:1906 #19 0x63d599 in httpd_helper_thread /home/pbs.vbadalyan/asterisk-13.14.0/main/http.c:1993 #20 0x7930cf in handle_tcptls_connection /home/pbs.vbadalyan/asterisk-13.14.0/main/tcptls.c:742 #21 0x7b212f in dummy_start /home/pbs.vbadalyan/asterisk-13.14.0/main/utils.c:1235 #22 0x7fbb22e83dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4) #23 0x7fbb2216373c in clone (/lib64/libc.so.6+0xf773c) {code} some effect with mysql-connector-odbc-5.3.7-1.el7.x86_64 and mysql-connector-odbc-5.3.6-1.el7.x86_64 | ||
Comments: | By: Asterisk Team (asteriskteam) 2017-03-14 16:06:14.206-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Badalian Vyacheslav (slavon) 2017-03-14 16:32:20.500-0500 Full BT By: Badalian Vyacheslav (slavon) 2017-03-14 16:36:46.280-0500 i try change 128 to SQL_BUF_SIZE in {code} struct ast_str *rowdata = ast_str_thread_get(&rowdata_buf, SQL_BUF_SIZE); {code} but it's not help {code} (gdb) p *rowdata $35 = {len = 1024, used = 0, ts = 0x7fffe640e320 <rowdata_buf>, str = 0x6190008d0998 ""} (gdb) p sizeof(rowdata->str) $30 = 0 {code} By: Badalian Vyacheslav (slavon) 2017-03-14 18:16:11.149-0500 crash in mysql odbc driver here: /usr/src/debug/mysql-connector-odbc-5.3.7-src/driver/results.c:1508 {code} 1505 /* catalog functions with "fake" results won't have lengths */ 1506 length= irrec->row.datalen; 1507 if (!length && stmt->current_values[sColNum]) 1508 length= strlen(stmt->current_values[sColNum]); {code} {code} (gdb) p sColNum $48 = 14 {code} if i do {{p strlen(stmt->current_values[sColNum])}} it's crash By: Badalian Vyacheslav (slavon) 2017-03-14 19:03:49.784-0500 This happens when the field is set to NULL. Not just for varchar. Enum also behave. If you set the values, then everything goes well. By: Badalian Vyacheslav (slavon) 2017-03-14 19:33:31.312-0500 https://bugs.mysql.com/bug.php?id=85454 By: Joshua C. Colp (jcolp) 2017-03-15 08:26:18.198-0500 I don't understand your latest comments. Are you stating that the problem is in the MySQL ODBC connector? By: Asterisk Team (asteriskteam) 2017-03-29 12:00:01.901-0500 Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1]. [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines |