[OpenSIPS-Devel] libsms_getsms.c out of bounds memory access
Pascal Cuoq
pascal_cuoq at hotmail.com
Wed Jun 16 16:51:25 CEST 2010
Hello,
There is a potential out-of-bounds memory access in functionfetchsms in libsms_getsms.c in the current SVN HEAD versionof this file (but don't worry, it has been there since OpenSER).
If the answer returned happens to be
".....about 500 characters of gibberish.....+CMGL: "
assuming the right branch is taken,the test (*end<'9' && *end>'0') at line 155will be true the first time (*end being the '\0' char that canbe expected to have been put there to terminate the stringby function put_command). On the second iteration,*end will be an illegal memory access.
We found this bug using the value analysis of Frama-C:http://frama-c.com/
Best regards,
Pascal__
Some details in case anyone is interested:
Frama-C is a collection of software analyzers intendedamong other things for verification of critical code.During the verification of critical code, you start withcode that is already pretty much bug-free becauseof the way it is developed, and when you are finished,you are definitely convinced that it is bug-free. In orderto be usable for verification, Frama-C and the coupleof existing comparable tools chose to be "correct":they never remain silent when there is a possibility ofa bug somewhere. This means that they havemore false positives than static analyzers intended fordebugging, which always have the choice to remainsilent when their analyses are imprecise and theyare not sure whether there is a bug or not.
We would never have found the bug above among allthe false positives if we had tried to analyze the wholeof OpenSIPS, but as it turned out, a bit of the functionhad had another bug previously and both the versionwith the two bugs and the version with one bug correctedwere included in a benchmark for static analyzers:
http://se.cs.toronto.edu/index.php/Verisec_Suite
(case CVE-2006-6876)
It tells a lot that the bug was included by accidentin a static analysis benchmark on which severalanalyzers were tried, and that it wasn't discoveredearlier. Neither verification analyzers nor debugginganalyzers are not perfect yet, but hey, we did find the bug in the end.
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.opensips.org/pipermail/devel/attachments/20100616/fec43648/attachment.htm
More information about the Devel
mailing list