Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Potential buffer overflow in srtp_protect() #24

Closed
jfigus opened this Issue · 15 comments

5 participants

@jfigus
Collaborator

Applications invoking srtp_protect() need to ensure the write buffer has additional memory available at the end to hold the authentication tag. The documentation should be updated to warn users of this potential problem.

@jfigus jfigus was assigned
@jfigus
Collaborator

Please credit Fernando Russ from Groundworkstech for finding this vulnerability. His contact information is fruss@groundworkstech.com

@tvsriram
Collaborator
@jfigus
Collaborator

I'm not aware of anyone providing a patch. I've fixed this and submitted a pull request.

@tvsriram
Collaborator
@jfigus
Collaborator

Looking at the following code, is this a bug as well? Notice the 32 bit tag cases are using the 80 bit policy.

err_status_t
crypto_policy_set_from_profile_for_rtcp(crypto_policy_t *policy,
srtp_profile_t profile) {

/* set SRTP policy from the SRTP profile in the key set /
switch(profile) {
case srtp_profile_aes128_cm_sha1_80:
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
break;
case srtp_profile_aes128_cm_sha1_32:
crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
break;
case srtp_profile_null_sha1_80:
crypto_policy_set_null_cipher_hmac_sha1_80(policy);
break;
case srtp_profile_aes256_cm_sha1_80:
crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
break;
case srtp_profile_aes256_cm_sha1_32:
crypto_policy_set_aes_cm_256_hmac_sha1_80(policy);
break;
/
the following profiles are not (yet) supported */
case srtp_profile_null_sha1_32:
default:
return err_status_bad_param;
}

return err_status_ok;
}

@tvsriram
Collaborator
@davidmcgrew
Collaborator
@jfigus
Collaborator

I'll fix this problem as well and include it in the pull request.

@davidmcgrew
Collaborator
@tvsriram
Collaborator
@jesup
Collaborator

From RFC 3711:

. SRTCP MUST NOT be used with weak (or NULL) authentication.

SRTP MAY be used with weak authentication (e.g., a 32-bit
authentication tag), or with no authentication (the NULL
authentication algorithm).

I believe the code as stated is correct: 32-bit SRTP tags means using 80 bit RTCP tags. The MUST NOT says 32-bit auth tags for RTCP as not to be allowed. I've run into this before.

@davidmcgrew
Collaborator
@jfigus
Collaborator
@fruss

Hi, my name is Fernando Russ, and I'm a Security Researcher at Groundworks Technologies, as follow up of this issue we have published a related security advisory. Thanks.

http://seclists.org/fulldisclosure/2013/Jun/10

@davidmcgrew
Collaborator
@jfigus jfigus closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.