[OpenSIPS-Devel] Buffer overflow
Dan Pascu
dan at ag-projects.com
Tue Apr 30 12:15:10 EDT 2019
There seems to be some buffer overflow in the code that flattens the configuration:
Apr 30 18:00:55 node15 opensips: ==7892==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018800 at pc 0x7f7c1bf946aa bp 0x7ffc90558800 sp 0x7ffc90557fb0
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: WRITE of size 54 at 0x633000018800 thread T0
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #0 0x7f7c1bf946a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #1 0x7f7c1bf949f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #2 0x5649c1d07761 in __flatten_opensips_cfg cfg_pp.c:280
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #5 0x5649c1c39cf9 in main main.c:1205
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #7 0x5649c1c41bc9 in _start (/home/dan/work/opensips/build/opensips-xs/opensips+0xe5bc9)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: 0x633000018800 is located 0 bytes to the right of 98304-byte region [0x633000000800,0x633000018800)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: allocated by thread T0 here:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #0 0x7f7c1c029740 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9740)
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #1 0x5649c1d069fb in extend_cfg_buf cfg_pp.c:117
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #2 0x5649c1d076bb in __flatten_opensips_cfg cfg_pp.c:274
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #3 0x5649c1d094fc in flatten_opensips_cfg cfg_pp.c:318
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #4 0x5649c1d094fc in parse_opensips_cfg cfg_pp.c:77
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #5 0x5649c1c39cf9 in main main.c:1205
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: #6 0x7f7c1bd7409a in __libc_start_main ../csu/libc-start.c:308
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf
Apr 30 18:00:55 node15 opensips:
Apr 30 18:00:55 node15 opensips: Shadow bytes around the buggy address:
Apr 30 18:00:55 node15 opensips: 0x0c667fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: 0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: 0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: 0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: 0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Apr 30 18:00:55 node15 opensips: =>0x0c667fffb100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: 0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: 0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: 0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: 0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: 0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Apr 30 18:00:55 node15 opensips: Shadow byte legend (one shadow byte represents 8 application bytes):
Apr 30 18:00:55 node15 opensips: Addressable: 00
Apr 30 18:00:55 node15 opensips: Partially addressable: 01 02 03 04 05 06 07
Apr 30 18:00:55 node15 opensips: Heap left redzone: fa
Apr 30 18:00:55 node15 opensips: Freed heap region: fd
Apr 30 18:00:55 node15 opensips: Stack left redzone: f1
Apr 30 18:00:55 node15 opensips: Stack mid redzone: f2
Apr 30 18:00:55 node15 opensips: Stack right redzone: f3
Apr 30 18:00:55 node15 opensips: Stack after return: f5
Apr 30 18:00:55 node15 opensips: Stack use after scope: f8
Apr 30 18:00:55 node15 opensips: Global redzone: f9
Apr 30 18:00:55 node15 opensips: Global init order: f6
Apr 30 18:00:55 node15 opensips: Poisoned by user: f7
Apr 30 18:00:55 node15 opensips: Container overflow: fc
Apr 30 18:00:55 node15 opensips: Array cookie: ac
Apr 30 18:00:55 node15 opensips: Intra object redzone: bb
Apr 30 18:00:55 node15 opensips: ASan internal: fe
Apr 30 18:00:55 node15 opensips: Left alloca redzone: ca
Apr 30 18:00:55 node15 opensips: Right alloca redzone: cb
Apr 30 18:00:55 node15 opensips:
--
Dan
More information about the Devel
mailing list