| Summary: | ASTERISK-12811: [patch] Crash in decode_length - udptl.c:159 | ||
| Reporter: | Atis Lezdins (atis) | Labels: | |
| Date Opened: | 2008-10-02 03:12:17 | Date Closed: | 2009-02-09 14:26:00.000-0600 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/T.38 |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 20090106__bug13600.diff.txt ( 1) bt.core.6288.txt | |
| Description: | After few months in using T.38 passtrough we got crash related to it. Crash is in Asterisk 1.4.19, but related udptl.c hasn't received any bugfixes since then. Full backtrace attached. #0 0x00000000004d9a21 in decode_length (buf=0xfb3048 "\200", limit=172, len=0x409946c0, pvalue=0x40994548) at udptl.c:159 #1 0x00000000004d9ba0 in decode_open_type (buf=0xfb3048 "\200", limit=172, len=0x409946c0, p_object=0x409946c8, p_num_octets=0x40994614) at udptl.c:193 #2 0x00000000004d9fbe in udptl_rx_packet (s=0xfb2900, buf=0xfb3048 "\200", len=172) at udptl.c:322 #3 0x00000000004db69a in ast_udptl_read (udptl=0xfb2900) at udptl.c:667 #4 0x00002aaab5343801 in sip_rtp_read (ast=0xb5f150, p=0xc8b5c0, faxdetect=0x4099482c) from /usr/lib/asterisk/modules/chan_sip.so ASTERISK-1 0x00002aaab5343ba1 in sip_read (ast=0xb5f150) from /usr/lib/asterisk/modules/chan_sip.so ASTERISK-2 0x0000000000447e40 in __ast_read (chan=0xb5f150, dropaudio=0) at channel.c:2076 ASTERISK-3 0x0000000000449503 in ast_read (chan=0xb5f150) at channel.c:2353 ASTERISK-4 0x00000000004b1f1f in bridge_p2p_loop (c0=0xb5f150, c1=0xce1170, p0=0xcc08a0, p1=0xce1f50, timeoutms=-1, flags=0, fo=0x409955b8, rc=0x409955b0, pvt0=0xc8b5c0, pvt1=0xc3fd50) at rtp.c:3191 ASTERISK-5 0x00000000004b2f5f in ast_rtp_bridge (c0=0xb5f150, c1=0xce1170, flags=0, fo=0x409955b8, rc=0x409955b0, timeoutms=-1) at rtp.c:3416 ASTERISK-6 0x0000000000451570 in ast_channel_bridge (c0=0xb5f150, c1=0xce1170, config=0x409959b0, fo=0x409955b8, rc=0x409955b0) at channel.c:4174 ASTERISK-7 0x00002aaaac2bb1b5 in ast_bridge_call (chan=0xb5f150, peer=0xce1170, config=0x409959b0) at res_features.c:1422 ASTERISK-8 0x00002aaab80bca66 in dial_exec_full (chan=0xb5f150, data=0x409989e0, peerflags=0x40996840, continue_exec=0x0) from /usr/lib/asterisk/modules/app_dial.so ASTERISK-9 0x00002aaab80bd535 in dial_exec (chan=0xb5f150, data=0x409989e0) from /usr/lib/asterisk/modules/app_dial.so ASTERISK-10 0x00000000004945cd in pbx_exec (c=0xb5f150, app=0xac7d20, data=0x409989e0) at pbx.c:537 ASTERISK-11 0x0000000000498683 in pbx_extension_helper (c=0xb5f150, con=0x0, context=0xb5f4f0 "callweaver_in", exten=0xb5f540 "22405", priority=5, label=0x0, callerid=0xb6cd80 "7077668077", action=E_SPAWN) at pbx.c:1862 ASTERISK-12 0x00000000004999f8 in ast_spawn_extension (c=0xb5f150, context=0xb5f4f0"callweaver_in", exten=0xb5f540 "22405", priority=5, callerid=0xb6cd80 "70776680 77") at pbx.c:2317 ASTERISK-13 0x0000000000499f9c in __ast_pbx_run (c=0xb5f150) at pbx.c:2419 ASTERISK-14 0x000000000049ae53 in pbx_thread (data=0xb5f150) at pbx.c:2634 ASTERISK-15 0x00000000004e0d6e in dummy_start (data=0xc12090) at utils.c:865 ASTERISK-16 0x00000036fc6062f7 in start_thread () from /lib64/libpthread.so.0 ASTERISK-17 0x00000036fb2ce86d in clone () from /lib64/libc.so.6 ASTERISK-18 0x0000000000000000 in ?? () ****** ADDITIONAL INFORMATION ****** I set status to private as this code crashing seems to be directly related to receiving data from TCP, thus it might be a security vulnerability. | ||
| Comments: | By: Leif Madsen (lmadsen) 2008-10-06 11:15:34 Is this supposed to be marked as private? By: Atis Lezdins (atis) 2008-10-06 12:27:32 Yes, i'd like some dev to look at it first - to see if this makes possible a remote crash. By: Mark Michelson (mmichelson) 2008-10-13 15:46:45 The problem, in case it wasn't clear before, is that there is a crash which occurs when trying to read 16461991 bytes into the "buf" buffer. The problem is that this buffer only had 172 bytes of data in it. The udptl.c code is rather cryptic and so I'm not sure how numbers are calculated and if this crash is potentially remotely exploitable. By: Tilghman Lesher (tilghman) 2009-01-06 19:37:31.000-0600 Yep, it certainly is possible to cause a crash, since it's not checking the bounds until after a read (possibly out of bounds) is done. By: Tilghman Lesher (tilghman) 2009-01-08 15:26:14.000-0600 Patch is here. Can you test? By: Atis Lezdins (atis) 2009-01-08 16:41:57.000-0600 Somehow i missed patch adding notification. I'll get to it next week. By: Leif Madsen (lmadsen) 2009-01-09 10:05:23.000-0600 atis: ya... there was some issues with the emailing over the last week (which is now resolved), so that is probably what happened. By: Atis Lezdins (atis) 2009-01-13 08:33:20.000-0600 Is it possible to grant access to Steve Underwood for this issue? He's credentials are in udptl.c, so he could take a look at this and comment. Personally, I've tested ~ 500 faxes trough patched version with added warnings on those return conditions, but i don't see them in log, so i can't reproduce situation for now. As this affects Callweaver too, it would be great to synchronize commits/security releases. By: Tilghman Lesher (tilghman) 2009-01-13 09:09:05.000-0600 atis: so this patch fixed your crash? By: Digium Subversion (svnbot) 2009-01-14 13:02:56.000-0600 Repository: asterisk Revision: 168603 U branches/1.4/main/udptl.c ------------------------------------------------------------------------ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue ASTERISK-12811) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=168603 By: Digium Subversion (svnbot) 2009-01-14 13:11:15.000-0600 Repository: asterisk Revision: 168604 _U trunk/ U trunk/main/udptl.c ------------------------------------------------------------------------ r168604 | tilghman | 2009-01-14 13:11:14 -0600 (Wed, 14 Jan 2009) | 14 lines Merged revisions 168603 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue ASTERISK-12811) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=168604 By: Digium Subversion (svnbot) 2009-01-14 13:11:57.000-0600 Repository: asterisk Revision: 168605 _U branches/1.6.0/ U branches/1.6.0/main/udptl.c ------------------------------------------------------------------------ r168605 | tilghman | 2009-01-14 13:11:57 -0600 (Wed, 14 Jan 2009) | 21 lines Merged revisions 168604 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r168604 | tilghman | 2009-01-14 13:11:14 -0600 (Wed, 14 Jan 2009) | 14 lines Merged revisions 168603 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue ASTERISK-12811) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=168605 By: Digium Subversion (svnbot) 2009-01-14 13:12:34.000-0600 Repository: asterisk Revision: 168606 _U branches/1.6.1/ U branches/1.6.1/main/udptl.c ------------------------------------------------------------------------ r168606 | tilghman | 2009-01-14 13:12:34 -0600 (Wed, 14 Jan 2009) | 21 lines Merged revisions 168604 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r168604 | tilghman | 2009-01-14 13:11:14 -0600 (Wed, 14 Jan 2009) | 14 lines Merged revisions 168603 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue ASTERISK-12811) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=168606 | ||