|Summary:||ASTERISK-00897: [audit-request] audit chan_sip.c for bugs and buffer overflows.|
|Reporter:||Brian West (bkw918)||Labels:|
|Date Opened:||2004-01-22 13:11:37.000-0600||Date Closed:||2011-06-07 14:11:55|
|Description:||It has been talked about in #asterisk that chan_sip contains many bugs and buffer overflows. The person making these claims will not point them out nor will they post them to the bug tracker. So I call on everyone to focus on chan_sip.c and see if we can quash these supposed bugs/buffer overflows. |
****** ADDITIONAL INFORMATION ******
Also lets focus on other parts of asterisk after this.
|Comments:||By: jrollyson (jrollyson) 2004-01-25 01:12:43.000-0600|
Hmm. What level of audit are we talking about? Comparing implementation to RFC?
By: Olle Johansson (oej) 2004-01-25 06:58:48.000-0600
In the new MYSQL routines, there's an alloca() allocation that I can't find free()d anywhere. Please check.
name = alloca(strlen(peer) * 2 + 1);
in two places. Seems to be left hanging there...
By: Brian West (bkw918) 2004-01-25 20:03:25.000-0600
we are looking for buffer overflows and code cleanups. Possible overflows and such. oej is doing a good job of pointing them out... thanks oej.
By: jrollyson (jrollyson) 2004-01-25 22:05:00.000-0600
By: Brian West (bkw918) 2004-01-25 22:05:00.000-0600
oej you don't free an alloca
By: Tilghman Lesher (tilghman) 2004-01-25 22:05:45.000-0600
oej: Please read the manpage for alloca(3).
By: Olle Johansson (oej) 2004-01-26 08:41:23.000-0600
Ok, just suspicous... What about strcpy and not strncpy's - when are those dangerous? There's a few left, not counting those that copy fixed strings of short length.
By: Tilghman Lesher (tilghman) 2004-01-26 09:50:15.000-0600
In some of those cases, the strings in question have been previously checked for length and cannot overflow the space allocated.
Concrete examples of real possible overflows are what is needed. I've personally gone through and done buffer overflow cleanups a few weeks ago, but more eyes are needed to be sure I haven't missed anything.
By: Olle Johansson (oej) 2004-03-21 08:59:32.000-0600
Let's close this bug# and reopen if we find new problems. Ok?