[prev in list] [next in list] [prev in thread] [next in thread] 

List:       asterisk-dev
Subject:    Re: [asterisk-dev] Config reading and scanf with large numbers
From:       Richard Mudgett <rmudgett () digium ! com>
Date:       2016-06-01 16:06:53
Message-ID: CALD46g0kJS=NK_2WNxQqb7UPNc4Fp2z=5nbiN+vEJwt6pH1D2w () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Wed, Jun 1, 2016 at 5:25 AM, snuffy <snuffy22@gmail.com> wrote:

> Hello All,
>
> I noticed a bug report ASTERISK-25972,
>

The referenced issue has nothing to do with what you are talking about.


>
> Looking through the code we do the following:
>
> sscanf(string,"%30d",&my_int);
>
> Now issue is an integer can't hold a number of 30 digits in length, 32bit
> ints are safe with 9, and 64bit with 19.
>
> If we set a value of %9d, if there are any more digits after the first 9
> they will be lost but we know the value will be inside the range of an
> integer.
>
> For single value scans, like reading from config files we could 'mitigate'
> by checking the strlen of the value we intend to read before running scanf,
> if return is >9, emit a warning stating their value will be truncated and
> read only the first 9 characters into the integer.
>
> If we use just %d, followed by %n we can see how many characters have been
> consumed, if we determine that it would be too large, emit a warning
> stating that the value is most likely incorrect.
>
>
> Am I barking up the wrong tree? thoughts?
>

The reason Asterisk uses sscanf format specifiers like "%30d" is because of
the AST-2009-005 security issue
where a bug in libc allowed an attacker to crash Asterisk by supplying a
ridiculously long string of digits in a
SIP message and blow the stack.

As far as reading config files with excessively long integers, garbage in
gives garbage out.

Richard

[Attachment #5 (text/html)]

<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun \
1, 2016 at 5:25 AM, snuffy <span dir="ltr">&lt;<a href="mailto:snuffy22@gmail.com" \
target="_blank">snuffy22@gmail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hello \
All,</div><div><br></div><div>I noticed a bug report \
ASTERISK-25972,</div></div></blockquote><div><br></div><div>The referenced issue has \
nothing to do with what you are talking about.<br></div><div>  </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Looking through \
the  code we  do the \
following:</div><div><br></div><div>sscanf(string,&quot;%30d&quot;,&amp;my_int);</div><div><br></div><div>Now \
issue is an integer can&#39;t hold  a number of 30 digits in length, 32bit ints are \
safe with 9, and 64bit with 19.</div><div><br></div><div>If we set a value of %9d, if \
there are any more digits after the first 9 they will be lost but we know the value \
will be inside the range of an integer.</div><div><br></div><div>For single value \
scans, like reading from config files we could &#39;mitigate&#39; by checking the \
strlen of the value we intend to read before running scanf, if return  is &gt;9, emit \
a warning stating their value will be truncated and read only the first 9 characters \
into the integer.</div><div>  </div><div>If we use just %d, followed by %n we can see \
how many characters have been consumed, if we determine that it would be too large, \
emit a warning stating that the value is most likely \
incorrect.</div><div><br></div><div><br></div><div>Am I barking up the wrong tree? \
thoughts?</div></div></blockquote><div><br></div><div>The reason Asterisk uses sscanf \
format specifiers like &quot;%30d&quot; is because of the AST-2009-005 security \
issue<br>where a bug in libc allowed an attacker to crash Asterisk by supplying a \
ridiculously long string of digits in a<br>SIP message and blow the \
stack.<br><br></div><div>As far as reading config files with excessively long \
integers, garbage in gives garbage \
out.<br></div><div><br></div><div>Richard<br></div><br></div></div></div>



-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic