Bug:stack-buffer-overflow on call::process_unexpected(char const*) in /src/call.cpp #799
Description
A stack-buffer-overflow caused by calling process_unexpected at line 2349 in /src/call.cpp
env
System version:ubuntu 22.04
command
Starting the sipp
/sipp/build/sipp -sn uas -p 5060 -t u1 -d 0Sending the Packet
/path/to/aflnet/aflnet-replay poc SIP 5060Description
Here is the valgrind report:
==4903== Memcheck, a memory error detector
==4903== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==4903== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==4903== Command: ./orig_sipp/sipp/build/sipp -sn uas -p 5060 -t u1 -d 0
==4903== Parent PID: 783
==4903==
==4903==
==4903== Process terminating with default action of signal 6 (SIGABRT): dumping core
==4903== at 0x55CCB2C: __pthread_kill_implementation (pthread_kill.c:44)
==4903== by 0x55CCB2C: __pthread_kill_internal (pthread_kill.c:78)
==4903== by 0x55CCB2C: pthread_kill@@GLIBC_2.34 (pthread_kill.c:89)
==4903== by 0x557327D: raise (raise.c:26)
==4903== by 0x55568FE: abort (abort.c:79)
==4903== by 0x55577B5: __libc_message_impl.cold (libc_fatal.c:134)
==4903== by 0x5664C18: __fortify_fail (fortify_fail.c:24)
==4903== by 0x5665EA3: __stack_chk_fail (stack_chk_fail.c:24)
==4903== by 0x128DC8: call::process_unexpected(char const*) (call.cpp:2414)
==4903== by 0x3020786563: ???
==4903==
==4903== HEAP SUMMARY:
==4903== in use at exit: 1,494,726 bytes in 5,469 blocks
==4903== total heap usage: 9,930 allocs, 4,461 frees, 2,753,731 bytes allocated
==4903==
==4903== LEAK SUMMARY:
==4903== definitely lost: 0 bytes in 0 blocks
==4903== indirectly lost: 0 bytes in 0 blocks
==4903== possibly lost: 1,413 bytes in 35 blocks
==4903== still reachable: 1,493,313 bytes in 5,434 blocks
==4903== of which reachable via heuristic:
==4903== multipleinheritance: 5,912 bytes in 6 blocks
==4903== suppressed: 0 bytes in 0 blocks
==4903== Rerun with --leak-check=full to see details of leaked memory
==4903==
==4903== For lists of detected and suppressed errors, rerun with: -s
==4903== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)and here is the ASAN report:
=================================================================
==1510==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff572982c at pc 0x5555556814c4 bp 0x7ffffffee1f0 sp 0x7ffffffed9b0
WRITE of size 26 at 0x7ffff572982c thread T0
#0 0x5555556814c3 in vsnprintf /llvm/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1649:1
#1 0x555555683c7e in snprintf /llvm/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1720:1
#2 0x5555557435b5 in call::process_unexpected(char const*) /home/user/sipp/src/call.cpp:2349:21
#3 0x555555762d51 in call::process_incoming(char const*, sockaddr_storage const*) /home/user/sipp/src/call.cpp:5211:18
#4 0x555555859141 in process_message(SIPpSocket*, char*, long, sockaddr_storage*) /home/user/sipp/src/socket.cpp
#5 0x55555586dfd0 in SIPpSocket::pollset_process(int) /home/user/sipp/src/socket.cpp:2999:17
#6 0x5555558ad96c in traffic_thread(int&, int&) /home/user/sipp/src/sipp.cpp:600:9
#7 0x5555558ad96c in main /home/user/sipp/src/sipp.cpp:2207:5
#8 0x7ffff739c1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#9 0x7ffff739c28a in __libc_start_main csu/../csu/libc-start.c:360:3
#10 0x5555555c4c74 in _start (/home/user/sipp/build/sipp+0x70c74)
Address 0x7ffff572982c is located in stack of thread T0 at offset 2092 in frame
#0 0x55555574313f in call::process_unexpected(char const*) /home/user/sipp/src/call.cpp:2331
This frame has 1 object(s):
[32, 2081) 'buffer' (line 2332) <== Memory access at offset 2092 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /llvm/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1649:1 in vsnprintf
Shadow bytes around the buggy address:
0x7ffff5729580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ffff5729800: 00 00 00 00 01[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x7ffff5729880: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x7ffff5729900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ffff5729a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1510==ABORTING