[Home]

Summary:ASTERISK-28480: json integer overflow in ssrc and timestamp
Reporter:Salah Ahmed (rubel)Labels:
Date Opened:2019-07-15 00:53:07Date Closed:2019-08-06 10:10:38
Priority:MinorRegression?
Status:Closed/CompleteComponents:Core/RTP
Versions:13.26.0 Frequency of
Occurrence
Constant
Related
Issues:
Environment:Attachments:
Description:Hello,

Recently we have found some integer overflow in ssrc and timestamp. After some research we have found jansson library has 3 types of integers representation.
i (integer) [int]: Convert a C int to JSON integer.
I (integer) [json_int_t]: Convert a C json_int_t to JSON integer.
f (real) [double]: Convert a C double to JSON real.

In some places "i" being used for ssrc and timestamp. Some time those values are get negative for some big number(Close to Max Unsigned Int). If use "I" instead of "i" this will be fixed for all cases.

Thanks,
Salah
Comments:By: Asterisk Team (asteriskteam) 2019-07-15 00:53:08.401-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

By: Kevin Harwell (kharwell) 2019-08-01 16:39:07.480-0500

[~rubel] It appears the ssrc should already be able to hold the larger values. At least in the cases I saw. I did find at least one timestamp value that could be widened along with some other RTCP values like packets_lost, etc... If you know of any specific spots in the code please let me know.

Please see the linked patch and test to make sure it works for you. Note, I did fix a few other places I saw in the code that were potentials for overflow.

By: Salah Ahmed (rubel) 2019-08-01 19:30:58.827-0500

Hi Kevin,

Just checked the patches you mentioned. It cover all the places I meant to.

Thanks,
Salah

By: Friendly Automation (friendly-automation) 2019-08-06 10:10:40.175-0500

Change 11669 merged by Friendly Automation:
various modules: json integer overflow

[https://gerrit.asterisk.org/c/asterisk/+/11669|https://gerrit.asterisk.org/c/asterisk/+/11669]

By: Friendly Automation (friendly-automation) 2019-08-06 10:32:22.620-0500

Change 11674 merged by Friendly Automation:
various modules: json integer overflow

[https://gerrit.asterisk.org/c/asterisk/+/11674|https://gerrit.asterisk.org/c/asterisk/+/11674]

By: Friendly Automation (friendly-automation) 2019-08-06 11:09:24.996-0500

Change 11670 merged by George Joseph:
various modules: json integer overflow

[https://gerrit.asterisk.org/c/asterisk/+/11670|https://gerrit.asterisk.org/c/asterisk/+/11670]

By: Friendly Automation (friendly-automation) 2019-08-06 11:09:37.053-0500

Change 11667 merged by George Joseph:
various modules: json integer overflow

[https://gerrit.asterisk.org/c/asterisk/+/11667|https://gerrit.asterisk.org/c/asterisk/+/11667]

By: Friendly Automation (friendly-automation) 2019-08-06 11:09:51.320-0500

Change 11668 merged by George Joseph:
various modules: json integer overflow

[https://gerrit.asterisk.org/c/asterisk/+/11668|https://gerrit.asterisk.org/c/asterisk/+/11668]