Stack-buffer overflow in pjsip_multipart_parse and pj_scan_get_quotes
Dear all —
Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
Version
trunk
How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (
https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't
report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out
pj-scan-get-until-ch-overflow.c
pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a
pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a
pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack
overflow either (or perhaps it could be me that don't know how to read it).
So if you have additional details (such as which packet bytes trigger the
issue, or better yet, which particular PJSIP code is the problematic one,
or even better yet, how to fix it :) ), please share them with us.
Regards,
Ming
On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg stephan@srlabs.de
wrote:
Dear all —
Please find attached two sample programs that parse a SIP message using
pjsip_parse_msg. Both programs cause a stack-buffer overflow.
Version
trunk
How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
Regards,
Ming
On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@srlabs.de mailto:stephan@srlabs.de> wrote:
Dear all —
Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi Stephan,
Ah, silly me. Forgot to include the flags when compiling PJSIP.
Thanks for letting me know. I've found the problems and fixed them, all
three programs you sent coughed up no errors now. Currently still checking
for the same patterns in other places as well. Will update you when it's
done, probably early next week.
Thanks a lot and have a good weekend.
Regards,
Ming
On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg stephan@srlabs.de wrote:
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer'
LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address
-fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (
https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't
report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out
pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a
pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a
pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack
overflow either (or perhaps it could be me that don't know how to read it).
So if you have additional details (such as which packet bytes trigger the
issue, or better yet, which particular PJSIP code is the problematic one,
or even better yet, how to fix it :) ), please share them with us.
mailto:stephan@srlabs.de> wrote:
Dear all —
Please find attached two sample programs that parse a SIP message
using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c
pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi.
I'm implementing a softphone that must create a new thread when a function is invoked.
Such thread executes another very simple function. The simple function just prints a 'hello world' and nothing more.
When the simple function ends, the entire softphone craches and 'die'.
Could someone check the code (c++) bellow and tell me if I am doing something wrong please?
I created the thread:
pj_caching_pool_init(&cp, NULL, 1024*1024 );
pool = pj_pool_create(&cp.factory, // the factory
"pool5", // pool's name
PJ_THREAD_DEFAULT_STACK_SIZE, // initial size
4000, // increment size
NULL);
if (pool == NULL) {
qDebug(" Pool error. \n");
}
else{
pj_thread_create(pool, "MySimpleThread", (pj_thread_proc*)&:: sdCardWatchDog,
NULL,
PJ_THREAD_DEFAULT_STACK_SIZE,
0,
&newThread);
}
The code of the simple function is:
static void * sdCardWatchDog(){
qDebug(" Hello World !! \n");
return NULL;
}
In header file I have:
pj_caching_pool cp;
pj_thread_t * newThread;
pj_pool_t *pool;
static void * sdCardWatchDog();
Any hint will very helpful!
Best regards.
RODRIGO PIMENTA CARVALHO
Inatel Competence Center
Software
Ph: +55 35 3471 9200 RAMAL 979
De: pjsip pjsip-bounces@lists.pjsip.org em nome de Ming ming@teluu.com
Enviado: sexta-feira, 10 de novembro de 2017 08:04
Para: pjsip list
Assunto: Re: [pjsip] Stack-buffer overflow in pjsip_multipart_parse and pj_scan_get_quotes
Hi Stephan,
Ah, silly me. Forgot to include the flags when compiling PJSIP.
Thanks for letting me know. I've found the problems and fixed them, all three programs you sent coughed up no errors now. Currently still checking for the same patterns in other places as well. Will update you when it's done, probably early next week.
Thanks a lot and have a good weekend.
Regards,
Ming
On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg <stephan@srlabs.demailto:stephan@srlabs.de> wrote:
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
Regards,
Ming
On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@srlabs.demailto:stephan@srlabs.de <mailto:stephan@srlabs.demailto:stephan@srlabs.de>> wrote:
Dear all —
Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org<mailto:pjsip@lists.pjsip.org> <mailto:pjsip@lists.pjsip.org<mailto:pjsip@lists.pjsip.org>>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.orgmailto:pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi Stephan,
In all three of the sample programs you provided, according
to pjsip_parse_msg() spec:
- @param buf The input buffer, which MUST be NULL terminated.
- @param size The length of the string (not counting NULL terminator).
these are actually needed:
char packet [] = ".....\x00";
pjsip_parse_msg(pool, packet, sizeof(packet)-1, &err_list);
Best regards,
Ming
On Fri, Nov 10, 2017 at 6:04 PM, Ming ming@teluu.com wrote:
Hi Stephan,
Ah, silly me. Forgot to include the flags when compiling PJSIP.
Thanks for letting me know. I've found the problems and fixed them, all
three programs you sent coughed up no errors now. Currently still checking
for the same patterns in other places as well. Will update you when it's
done, probably early next week.
Thanks a lot and have a good weekend.
Regards,
Ming
On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg stephan@srlabs.de
wrote:
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer'
LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address
-fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (
https://github.com/google/sanitizers/wiki/AddressSanitizer) and it
didn't report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out
pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a
pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a
pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack
overflow either (or perhaps it could be me that don't know how to read it).
So if you have additional details (such as which packet bytes trigger the
issue, or better yet, which particular PJSIP code is the problematic one,
or even better yet, how to fix it :) ), please share them with us.
mailto:stephan@srlabs.de> wrote:
Dear all —
Please find attached two sample programs that parse a SIP message
using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c
pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c
pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi Ming —
The standard (6.4.5 String Literals) says:
"A byte or code of value zero is appended to each multibyte character sequence that results from a string literal or literals."
So for example, the string literal char bar[] = "foo" contains the implicit null-terminator.
sizeof(bar) = 4
Thus, the three sample programs should actually be correct.
Best regards
-Stephan
On 11/13/2017 09:29 AM, Ming wrote:
Hi Stephan,
In all three of the sample programs you provided, according to pjsip_parse_msg() spec:
* @param bufThe input buffer, which MUST be NULL terminated.
* @param sizeThe length of the string (not counting NULL terminator).
these are actually needed:
char packet [] = ".....\x00";
pjsip_parse_msg(pool, packet, sizeof(packet)-1, &err_list);
Best regards,
Ming
On Fri, Nov 10, 2017 at 6:04 PM, Ming <ming@teluu.com mailto:ming@teluu.com> wrote:
Hi Stephan,
Ah, silly me. Forgot to include the flags when compiling PJSIP.
Thanks for letting me know. I've found the problems and fixed them, all three programs you sent coughed up no errors now. Currently still checking for the same patterns in other places as well. Will update you when it's done, probably early next week.
Thanks a lot and have a good weekend.
Regards,
Ming
On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg <stephan@srlabs.de <mailto:stephan@srlabs.de>> wrote:
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
Regards,
Ming
On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@srlabs.de mailto:stephan@srlabs.de <mailto:stephan@srlabs.de mailto:stephan@srlabs.de>> wrote:
Dear all —
Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi Ming
Ah, sorry. "The length of the string (not counting NULL terminator)." My fault.
Best
-Stephan
On 11/13/2017 09:29 AM, Ming wrote:
Hi Stephan,
In all three of the sample programs you provided, according to pjsip_parse_msg() spec:
* @param bufThe input buffer, which MUST be NULL terminated.
* @param sizeThe length of the string (not counting NULL terminator).
these are actually needed:
char packet [] = ".....\x00";
pjsip_parse_msg(pool, packet, sizeof(packet)-1, &err_list);
Best regards,
Ming
On Fri, Nov 10, 2017 at 6:04 PM, Ming <ming@teluu.com mailto:ming@teluu.com> wrote:
Hi Stephan,
Ah, silly me. Forgot to include the flags when compiling PJSIP.
Thanks for letting me know. I've found the problems and fixed them, all three programs you sent coughed up no errors now. Currently still checking for the same patterns in other places as well. Will update you when it's done, probably early next week.
Thanks a lot and have a good weekend.
Regards,
Ming
On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg <stephan@srlabs.de <mailto:stephan@srlabs.de>> wrote:
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address -fno-omit-frame-pointer' LDFLAGS='-fsanitize=address -fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g -fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (https://github.com/google/sanitizers/wiki/AddressSanitizer https://github.com/google/sanitizers/wiki/AddressSanitizer) and it didn't report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any stack overflow either (or perhaps it could be me that don't know how to read it). So if you have additional details (such as which packet bytes trigger the issue, or better yet, which particular PJSIP code is the problematic one, or even better yet, how to fix it :) ), please share them with us.
Regards,
Ming
On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <stephan@srlabs.de mailto:stephan@srlabs.de <mailto:stephan@srlabs.de mailto:stephan@srlabs.de>> wrote:
Dear all —
Please find attached two sample programs that parse a SIP message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/ -Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Hi Stephan,
Yes, I initially missed that too.
A little bit about the history of our parser:
"The very first component of PJSIP is the parser, which was created to
participate in internal parser contest in Switchlab, Ltd. ...
(from http://www.pjsip.org/about.htm)
So it was created with efficiency and speed in mind (note that it was
created many years ago, where speed was paramount and we pride ourselves in
achieving that), and in exchange of those speed boost, the spec of the
input was intentionally made more restrictive. Of course, nowadays, with
those multicore CPUs and GHz of processing power, speed has less relevance,
nevertheless we will let the code remain as is, for now.
Regards,
Ming
On Mon, Nov 13, 2017 at 4:49 PM, Stephan Zeisberg stephan@srlabs.de wrote:
Hi Ming
Ah, sorry. "The length of the string (not counting NULL terminator)." My
fault.
Best
-Stephan
On 11/13/2017 09:29 AM, Ming wrote:
Hi Stephan,
In all three of the sample programs you provided, according
to pjsip_parse_msg() spec:
- @param bufThe input buffer, which MUST be NULL terminated.
- @param sizeThe length of the string (not counting NULL terminator).
these are actually needed:
char packet [] = ".....\x00";
pjsip_parse_msg(pool, packet, sizeof(packet)-1, &err_list);
Best regards,
Ming
On Fri, Nov 10, 2017 at 6:04 PM, Ming <ming@teluu.com <mailto:
ming@teluu.com>> wrote:
Hi Stephan,
Ah, silly me. Forgot to include the flags when compiling PJSIP.
Thanks for letting me know. I've found the problems and fixed them,
all three programs you sent coughed up no errors now. Currently still
checking for the same patterns in other places as well. Will update you
when it's done, probably early next week.
Thanks a lot and have a good weekend.
Regards,
Ming
On Fri, Nov 10, 2017 at 4:48 PM, Stephan Zeisberg <stephan@srlabs.de
mailto:stephan@srlabs.de> wrote:
Hi Ming —
Please try the following to reproduce the issues:
$ ./configure CFLAGS='-fsanitize=address
-fno-omit-frame-pointer' LDFLAGS='-fsanitize=address
-fno-omit-frame-pointer'
$ clang -o out multipart-parse-overflow.c -O1 -g
-fsanitize=address -fno-omit-frame-pointer pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ ./out
I've attached the AddressSanitizer output for the three issues.
Best
-Stephan
On 11/10/2017 02:05 AM, Ming wrote:
Hi Stephan,
Thanks for the report.
I ran all three programs under AddressSanitizer (
https://github.com/google/sanitizers/wiki/AddressSanitizer <
https://github.com/google/sanitizers/wiki/AddressSanitizer>) and it
didn't report any warning or error at all.
Command I used (on Mac):
clang -fsanitize=address -O1 -fno-omit-frame-pointer -g -o out
pj-scan-get-until-ch-overflow.c pjsip/lib/libpjsip-x86_64-apple-darwin16.7.0.a
pjlib-util/lib/libpjlib-util-x86_64-apple-darwin16.7.0.a
pjlib/lib/libpj-x86_64-apple-darwin16.7.0.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm
&& ./out
The valgrind reports you attached do not seem to point to any
stack overflow either (or perhaps it could be me that don't know how to
read it). So if you have additional details (such as which packet bytes
trigger the issue, or better yet, which particular PJSIP code is the
problematic one, or even better yet, how to fix it :) ), please share them
with us.
Regards,
Ming
On Fri, Nov 10, 2017 at 12:14 AM, Stephan Zeisberg <
stephan@srlabs.de mailto:stephan@srlabs.de <mailto:stephan@srlabs.de
mailto:stephan@srlabs.de>> wrote:
Dear all —
Please find attached two sample programs that parse a SIP
message using pjsip_parse_msg. Both programs cause a stack-buffer overflow.
# Version
trunk
# How to reproduce pjsip_multipart_parse overflow:
$ clang -o out multipart-parse-overflow.c
pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
# How to reproduce pj_scan_get_quotes overflow:
$ clang -o out pj-scan-get-quotes-overflow.c
pjsip/lib/libpjsip-x86_64-unknown-linux-gnu.a
pjlib-util/lib/libpjlib-util-x86_64-unknown-linux-gnu.a
pjlib/lib/libpj-x86_64-unknown-linux-gnu.a -Ipjlib/include/
-Ipjlib-util/include/ -Ipjsip/include -lpthread -lm -luuid
$ valgrind ./out
The resulting valgrind output is attached.
The issues have been found with afl-fuzz in ASAN mode.
Cheers
-Stephan Zeisberg
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.
pjsip.org http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
<http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org>>
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org mailto:pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
_______________________________________________
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org <mailto:pjsip@lists.pjsip.org>
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org <
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org
Visit our blog: http://blog.pjsip.org
pjsip mailing list
pjsip@lists.pjsip.org
http://lists.pjsip.org/mailman/listinfo/pjsip_lists.pjsip.org