ASTERISK-00897: [audit-request] audit chan_sip.c for bugs and buffer overflows.

[Home]

Summary: ASTERISK-00897: [audit-request] audit chan_sip.c for bugs and buffer overflows.

Reporter: Brian West (bkw918) Labels:

Date Opened: 2004-01-22 13:11:37.000-0600 Date Closed: 2011-06-07 14:11:55

Priority: Trivial Regression? No

Status: Closed/Complete Components: Core/General

Versions: Frequency of
Occurrence

Related
Issues:

Environment: Attachments:

Description: It has been talked about in #asterisk that chan_sip contains many bugs and buffer overflows. The person making these claims will not point them out nor will they post them to the bug tracker. So I call on everyone to focus on chan_sip.c and see if we can quash these supposed bugs/buffer overflows.

Thanks,
bkw_

****** ADDITIONAL INFORMATION ******

Also lets focus on other parts of asterisk after this.

Comments: By: jrollyson (jrollyson) 2004-01-25 01:12:43.000-0600

Hmm. What level of audit are we talking about? Comparing implementation to RFC?
By: Olle Johansson (oej) 2004-01-25 06:58:48.000-0600

In the new MYSQL routines, there's an alloca() allocation that I can't find free()d anywhere. Please check.
name = alloca(strlen(peer) * 2 + 1);
in two places. Seems to be left hanging there...
By: Brian West (bkw918) 2004-01-25 20:03:25.000-0600

we are looking for buffer overflows and code cleanups. Possible overflows and such. oej is doing a good job of pointing them out... thanks oej.
By: jrollyson (jrollyson) 2004-01-25 22:05:00.000-0600

See ASTERISK-911
By: Brian West (bkw918) 2004-01-25 22:05:00.000-0600

oej you don't free an alloca
By: Tilghman Lesher (tilghman) 2004-01-25 22:05:45.000-0600

oej: Please read the manpage for alloca(3).
By: Olle Johansson (oej) 2004-01-26 08:41:23.000-0600

Ok, just suspicous... What about strcpy and not strncpy's - when are those dangerous? There's a few left, not counting those that copy fixed strings of short length.
By: Tilghman Lesher (tilghman) 2004-01-26 09:50:15.000-0600

In some of those cases, the strings in question have been previously checked for length and cannot overflow the space allocated.

Concrete examples of real possible overflows are what is needed. I've personally gone through and done buffer overflow cleanups a few weeks ago, but more eyes are needed to be sure I haven't missed anything.
By: Olle Johansson (oej) 2004-03-21 08:59:32.000-0600

Let's close this bug# and reopen if we find new problems. Ok?