[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-dev
Subject: Re: [asterisk-dev] Config reading and scanf with large numbers
From: Richard Mudgett <rmudgett () digium ! com>
Date: 2016-06-01 16:06:53
Message-ID: CALD46g0kJS=NK_2WNxQqb7UPNc4Fp2z=5nbiN+vEJwt6pH1D2w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Wed, Jun 1, 2016 at 5:25 AM, snuffy <snuffy22@gmail.com> wrote:
> Hello All,
>
> I noticed a bug report ASTERISK-25972,
>
The referenced issue has nothing to do with what you are talking about.
>
> Looking through the code we do the following:
>
> sscanf(string,"%30d",&my_int);
>
> Now issue is an integer can't hold a number of 30 digits in length, 32bit
> ints are safe with 9, and 64bit with 19.
>
> If we set a value of %9d, if there are any more digits after the first 9
> they will be lost but we know the value will be inside the range of an
> integer.
>
> For single value scans, like reading from config files we could 'mitigate'
> by checking the strlen of the value we intend to read before running scanf,
> if return is >9, emit a warning stating their value will be truncated and
> read only the first 9 characters into the integer.
>
> If we use just %d, followed by %n we can see how many characters have been
> consumed, if we determine that it would be too large, emit a warning
> stating that the value is most likely incorrect.
>
>
> Am I barking up the wrong tree? thoughts?
>
The reason Asterisk uses sscanf format specifiers like "%30d" is because of
the AST-2009-005 security issue
where a bug in libc allowed an attacker to crash Asterisk by supplying a
ridiculously long string of digits in a
SIP message and blow the stack.
As far as reading config files with excessively long integers, garbage in
gives garbage out.
Richard
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun \
1, 2016 at 5:25 AM, snuffy <span dir="ltr"><<a href="mailto:snuffy22@gmail.com" \
target="_blank">snuffy22@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello \
All,</div><div><br></div><div>I noticed a bug report \
ASTERISK-25972,</div></div></blockquote><div><br></div><div>The referenced issue has \
nothing to do with what you are talking about.<br></div><div> </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Looking through \
the code we do the \
following:</div><div><br></div><div>sscanf(string,"%30d",&my_int);</div><div><br></div><div>Now \
issue is an integer can't hold a number of 30 digits in length, 32bit ints are \
safe with 9, and 64bit with 19.</div><div><br></div><div>If we set a value of %9d, if \
there are any more digits after the first 9 they will be lost but we know the value \
will be inside the range of an integer.</div><div><br></div><div>For single value \
scans, like reading from config files we could 'mitigate' by checking the \
strlen of the value we intend to read before running scanf, if return is >9, emit \
a warning stating their value will be truncated and read only the first 9 characters \
into the integer.</div><div> </div><div>If we use just %d, followed by %n we can see \
how many characters have been consumed, if we determine that it would be too large, \
emit a warning stating that the value is most likely \
incorrect.</div><div><br></div><div><br></div><div>Am I barking up the wrong tree? \
thoughts?</div></div></blockquote><div><br></div><div>The reason Asterisk uses sscanf \
format specifiers like "%30d" is because of the AST-2009-005 security \
issue<br>where a bug in libc allowed an attacker to crash Asterisk by supplying a \
ridiculously long string of digits in a<br>SIP message and blow the \
stack.<br><br></div><div>As far as reading config files with excessively long \
integers, garbage in gives garbage \
out.<br></div><div><br></div><div>Richard<br></div><br></div></div></div>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic