[OpenSIPS-Devel] Buffer overflow

Dan Pascu dan at ag-projects.com
Tue Apr 30 12:15:10 EDT 2019 

There seems to be some buffer overflow in the code that flattens the configuration:

Apr 30 18:00:55 node15 opensips: ==7892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018800 at pc 0x7f7c1bf946aa bp 0x7ffc90558800 sp 0x7ffc90557fb0
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: WRITE of size 54 at 0x633000018800 thread T0
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #0 0x7f7c1bf946a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #1 0x7f7c1bf949f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #2 0x5649c1d07761 in __flatten_opensips_cfg cfg_pp.c:280
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #5 0x5649c1c39cf9 in main main.c:1205
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #7 0x5649c1c41bc9 in _start (/home/dan/work/opensips/build/opensips-xs/opensips+0xe5bc9)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: 0x633000018800 is located 0 bytes to the right of 98304-byte region [0x633000000800,0x633000018800)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: allocated by thread T0 here:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #0 0x7f7c1c029740 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #1 0x5649c1d069fb in extend_cfg_buf cfg_pp.c:117
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #2 0x5649c1d076bb in __flatten_opensips_cfg cfg_pp.c:274
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #5 0x5649c1c39cf9 in main main.c:1205
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:     #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: Shadow bytes around the buggy address:
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips:   0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: =>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips:   0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: Shadow byte legend (one shadow byte represents 8 application bytes):
Apr 30 18:00:55 node15 opensips:   Addressable:           00
Apr 30 18:00:55 node15 opensips:   Partially addressable: 01 02 03 04 05 06 07
Apr 30 18:00:55 node15 opensips:   Heap left redzone:       fa
Apr 30 18:00:55 node15 opensips:   Freed heap region:       fd
Apr 30 18:00:55 node15 opensips:   Stack left redzone:      f1
Apr 30 18:00:55 node15 opensips:   Stack mid redzone:       f2
Apr 30 18:00:55 node15 opensips:   Stack right redzone:     f3
Apr 30 18:00:55 node15 opensips:   Stack after return:      f5
Apr 30 18:00:55 node15 opensips:   Stack use after scope:   f8
Apr 30 18:00:55 node15 opensips:   Global redzone:          f9
Apr 30 18:00:55 node15 opensips:   Global init order:       f6
Apr 30 18:00:55 node15 opensips:   Poisoned by user:        f7
Apr 30 18:00:55 node15 opensips:   Container overflow:      fc
Apr 30 18:00:55 node15 opensips:   Array cookie:            ac
Apr 30 18:00:55 node15 opensips:   Intra object redzone:    bb
Apr 30 18:00:55 node15 opensips:   ASan internal:           fe
Apr 30 18:00:55 node15 opensips:   Left alloca redzone:     ca
Apr 30 18:00:55 node15 opensips:   Right alloca redzone:    cb
Apr 30 18:00:55 node15 opensips:

--
Dan

More information about the Devel mailing list