CVE-2022-47517: heap-based buffer overflow in (url_canonize2 libsofia-sip-ua/url/url.c ?)

[asarubbo]

Hi,

the following remote request is able to crash drachtio:

nc -u PUBLIC_IP 5060 < file

==3439==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60f0000012ba at pc 0x000000a45552 bp 0x7ffcb041b950 sp 0x7ffcb041b948
READ of size 1 at 0x60f0000012ba thread T0
    #0 0xa45551 in url_canonize2 /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/url/url.c:367
    #1 0xa4756b in url_d /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/url/url.c:802
    #2 0x9bd29d in sip_name_addr_d /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/sip/sip_basic.c:725
    #3 0x9bd9b1 in sip_contact_d /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/sip/sip_basic.c:1407
    #4 0x9556c5 in header_parse /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1132
    #5 0x9556c5 in extract_header /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1071
    #6 0x958e4e in extract_next /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1001
    #7 0x958e4e in msg_extract /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:903
    #8 0xa224f1 in tport_parse /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/tport/tport.c:2984
    #9 0xa23edf in tport_recv_event /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/tport/tport.c:2954
    #10 0xa2a2ff in tport_base_wakeup /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/tport/tport.c:2855
    #11 0xa83e2b in su_epoll_port_wait_events /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_epoll_port.c:510
    #12 0xa82a34 in su_base_port_run /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_base_port.c:349
    #13 0x4dc07b in drachtio::DrachtioController::run() ../src/controller.cpp:1336
    #14 0x4647ae in main ../src/main.cpp:47
    #15 0x7fcb1ded1d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
    #16 0x4846a9 in _start (/usr/local/bin/drachtio-asan+0x4846a9)

0x60f0000012ba is located 0 bytes to the right of 170-byte region [0x60f000001210,0x60f0000012ba)
allocated by thread T0 here:
    #0 0x7fcb1e8b8e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x9eadce in sub_alloc /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_alloc.c:541
    #2 0x9ebaaa in su_alloc /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_alloc.c:960
    #3 0x954ab7 in msg_header_alloc /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:2314
    #4 0x955eaf in header_parse /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1114
    #5 0x955eaf in extract_header /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1071
    #6 0x958e4e in extract_next /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:1001
    #7 0x958e4e in msg_extract /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/msg/msg_parser.c:903
    #8 0xa224f1 in tport_parse /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/tport/tport.c:2984
    #9 0xa23edf in tport_recv_event /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/tport/tport.c:2954
    #10 0xa2a2ff in tport_base_wakeup /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/tport/tport.c:2855
    #11 0xa83e2b in su_epoll_port_wait_events /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_epoll_port.c:510
    #12 0xa82a34 in su_base_port_run /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/su/su_base_port.c:349
    #13 0x4dc07b in drachtio::DrachtioController::run() ../src/controller.cpp:1336
    #14 0x4647ae in main ../src/main.cpp:47
    #15 0x7fcb1ded1d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/src/drachtio-server/deps/sofia-sip/libsofia-sip-ua/url/url.c:367 in url_canonize2
Shadow bytes around the buggy address:
  0x0c1e7fff8200: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff8210: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c1e7fff8220: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1e7fff8230: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1e7fff8240: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1e7fff8250: 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa
  0x0c1e7fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3439==ABORTING

While I'm not sure if the issue is in libsofia-sip or drachtio, my guess is that it is in libsofia-sip but I'm filing the issue
here because I can reproduce via drachtio.

I'm on v0.8.19-rc12

# drachtio -v
4f3530f

Attaching the testcase as zipped, but to reproduce you need to unzip.
off-by-one.zip

[davehorton]

I'm unable to recreate this on the latest build. Log below

2022-11-27 23:25:02.792103 tport.c:3267 tport_recv_iovec() tport_recv_iovec(0x559aef0c4f20) msg 0x559aef0d1fe0 from (udp/172.20.111.204:5060) has 469 bytes, veclen = 1
2022-11-27 23:25:02.792203 recv 469 bytes from udp/[172.20.111.204]:54228 at 23:25:02.792137:
REGISTER sip:drachtio1a SIP/2.0
Via: SIP/2.0/UDP 10.10.5.144:5060;branch=z9hG4bK355579564;rport
Route: <sip:drachtio1a:5060;lr>
From: <sip:100@drachtio1a>;tag=2013202359
To: <sip:100@drachtio1a>
Call-ID: 1844442003-5060-1@BA.BA.F.BEE
CSeq: 94363 REGISTER
Contact: %
X-Grandstream-PBX: true
Max-Forwards: 70
User-Agent: Grandstream GXP2160 1.0.9.134
Expires: 0
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 0

2022-11-27 23:25:02.792247 tport.c:3085 tport_deliver() tport_deliver(0x559aef0c4f20): msg 0x559aef0d1fe0 (469 bytes) from udp/172.20.111.204:5060 next=(nil)
2022-11-27 23:25:02.792268 tport.c:1171 tport_ref() tport_ref(0x559aef0c4f20): refcount is now 1
2022-11-27 23:25:02.792283 nta.c:3046 agent_recv_request() nta: received REGISTER sip:drachtio1a SIP/2.0 (CSeq 94363)
2022-11-27 23:25:02.792296 nta.c:3111 agent_recv_request() nta: REGISTER has bad Contact header
2022-11-27 23:25:02.792312 nta.c:3346 agent_check_request_via() nta: Via check: received=172.20.111.204
2022-11-27 23:25:02.792333 nta.c:3127 agent_recv_request() nta: REGISTER (94363) is Bad Contact Header
2022-11-27 23:25:02.792359 tport.c:3322 tport_tsend() tport_tsend(0x559aef0c4f20) tpn = UDP/172.20.111.204:54228
2022-11-27 23:25:02.792379 tport.c:4122 tport_resolve() tport_resolve addrinfo = 172.20.111.204:54228
2022-11-27 23:25:02.792397 tport.c:4811 tport_by_addrinfo() tport_by_addrinfo(0x559aef0c4f20): not found by name UDP/172.20.111.204:54228
2022-11-27 23:25:02.792410 tport.c:4811 tport_by_addrinfo() tport_by_addrinfo(0x559aef0c53d0): not found by name UDP/172.20.111.204:54228
2022-11-27 23:25:02.792422 tport.c:4811 tport_by_addrinfo() tport_by_addrinfo(0x559aef0c58a0): not found by name UDP/172.20.111.204:54228
2022-11-27 23:25:02.792438 tport.c:4811 tport_by_addrinfo() tport_by_addrinfo(0x559aef0c5da0): not found by name UDP/172.20.111.204:54228
2022-11-27 23:25:02.792454 tport.c:4811 tport_by_addrinfo() tport_by_addrinfo(0x559aef0c6270): not found by name UDP/172.20.111.204:54228
2022-11-27 23:25:02.792467 tport.c:4811 tport_by_addrinfo() tport_by_addrinfo(0x559aef0c6740): not found by name UDP/172.20.111.204:54228
2022-11-27 23:25:02.792567 tport.c:3572 tport_send_msg() tport_vsend returned 297
2022-11-27 23:25:02.792604 send 297 bytes to udp/[172.20.111.204]:54228 at 23:25:02.792489:
SIP/2.0 400 Bad Contact Header
Via: SIP/2.0/UDP 10.10.5.144:5060;branch=z9hG4bK355579564;rport=54228;received=172.20.111.204
From: <sip:100@drachtio1a>;tag=2013202359
To: <sip:100@drachtio1a>;tag=ct3yD4504ZaKg
Call-ID: 1844442003-5060-1@BA.BA.F.BEE
CSeq: 94363 REGISTER
Content-Length: 0

[davehorton]

I was able to see the off-by-one access when using valgrind. Fixed in v0.8.19-rc14

[asarubbo]

CVE-2022-47517 has been assigned to this issue.

[davehorton]

ok it seems like you opened this CVE 2 days ago, with no fix information, yet per above I fixed it 3 weeks ago

[asarubbo]

where did you see no fix information?

[davehorton]

Oh, I was looking at "Patched versions: unknown". I see the description indicates the fix version now, so that is good. Thanks, sorry for the misunderstanding

[asarubbo]

Hi Dave, no problem. Just keep in mind that the link you can see as CVE-2022-47517 (GHSA-c8mq-83h4-gm57) is done automatically by github. The official reference is always at https://cve.mitre.org

[AdrianBunk]

@davehorton @asarubbo Looking at davehorton/sofia-sip@bfc79d8, is CVE-2022-47517 a duplicate of the first part of CVE-2022-31002, and the url_canonize3() part of freeswitch/sofia-sip@51841eb is still missing here?

[davehorton]

yes, you are right. I will commit the second part of that change shortly