Summary: | ASTERISK-00897: [audit-request] audit chan_sip.c for bugs and buffer overflows. | ||
Reporter: | Brian West (bkw918) | Labels: | |
Date Opened: | 2004-01-22 13:11:37.000-0600 | Date Closed: | 2011-06-07 14:11:55 |
Priority: | Trivial | Regression? | No |
Status: | Closed/Complete | Components: | Core/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | It has been talked about in #asterisk that chan_sip contains many bugs and buffer overflows. The person making these claims will not point them out nor will they post them to the bug tracker. So I call on everyone to focus on chan_sip.c and see if we can quash these supposed bugs/buffer overflows. Thanks, bkw_ ****** ADDITIONAL INFORMATION ****** Also lets focus on other parts of asterisk after this. | ||
Comments: | By: jrollyson (jrollyson) 2004-01-25 01:12:43.000-0600 Hmm. What level of audit are we talking about? Comparing implementation to RFC? By: Olle Johansson (oej) 2004-01-25 06:58:48.000-0600 In the new MYSQL routines, there's an alloca() allocation that I can't find free()d anywhere. Please check. name = alloca(strlen(peer) * 2 + 1); in two places. Seems to be left hanging there... By: Brian West (bkw918) 2004-01-25 20:03:25.000-0600 we are looking for buffer overflows and code cleanups. Possible overflows and such. oej is doing a good job of pointing them out... thanks oej. By: jrollyson (jrollyson) 2004-01-25 22:05:00.000-0600 See ASTERISK-911 By: Brian West (bkw918) 2004-01-25 22:05:00.000-0600 oej you don't free an alloca By: Tilghman Lesher (tilghman) 2004-01-25 22:05:45.000-0600 oej: Please read the manpage for alloca(3). By: Olle Johansson (oej) 2004-01-26 08:41:23.000-0600 Ok, just suspicous... What about strcpy and not strncpy's - when are those dangerous? There's a few left, not counting those that copy fixed strings of short length. By: Tilghman Lesher (tilghman) 2004-01-26 09:50:15.000-0600 In some of those cases, the strings in question have been previously checked for length and cannot overflow the space allocated. Concrete examples of real possible overflows are what is needed. I've personally gone through and done buffer overflow cleanups a few weeks ago, but more eyes are needed to be sure I haven't missed anything. By: Olle Johansson (oej) 2004-03-21 08:59:32.000-0600 Let's close this bug# and reopen if we find new problems. Ok? |