Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-47516: tport.c:3313: tport_tsend: Assertion `self' failed. #244

Closed
asarubbo opened this issue Nov 28, 2022 · 4 comments
Closed

Comments

@asarubbo
Copy link

Hi,

the following remote request is able to crash drachtio:

nc -w 5 -u PUBLIC_IP 5060 < file


drachtio: tport.c:3313: tport_tsend: Assertion `self' failed.

A bit of backtrace here:

Thread 1 "drachtio" received signal SIGABRT, Aborted.
0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6cb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff6cb340f in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff6cc2662 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x0000000000a2852c in tport_tsend (self=0x0, msg=msg@entry=0x619000013180, _tpn=<optimized out>, tag=<optimized out>, value=-1) at tport.c:3313
#5  0x00000000009a2345 in nta_msg_tsend (agent=<optimized out>, msg=msg@entry=0x619000013180, u=u@entry=0x0, tag=tag@entry=0x0, value=value@entry=0) at nta.c:3748
#6  0x00000000004c8528 in drachtio::DrachtioController::processMessageStatelessly (this=<optimized out>, msg=<optimized out>, sip=<optimized out>) at ../src/controller.cpp:1571
#7  0x00000000004ce7dc in (anonymous namespace)::stateless_callback (controller=<optimized out>, agent=<optimized out>, msg=<optimized out>, sip=<optimized out>)
    at ../src/controller.cpp:189
#8  0x00000000009ad356 in agent_recv_response (tport_via=<optimized out>, tport=<optimized out>, sip=<optimized out>, msg=<optimized out>, agent=<optimized out>) at nta.c:3573
#9  agent_recv_message (agent=0x61900000ff80, tport=<optimized out>, msg=<optimized out>, tport_via=<optimized out>, now=...) at nta.c:2955
#10 0x0000000000a22235 in tport_deliver (self=self@entry=0x616000001b80, msg=msg@entry=0x619000013180, next=next@entry=0x0, sc=<optimized out>, now=...) at tport.c:3097
#11 0x0000000000a227ab in tport_parse (self=self@entry=0x616000001b80, complete=1, now=...) at tport.c:3015
#12 0x0000000000a23ee0 in tport_recv_event (self=0x616000001b80) at tport.c:2954
#13 0x0000000000a2a300 in tport_base_wakeup (self=0x616000001b80, events=1) at tport.c:2855
#14 0x0000000000a83e5c in su_epoll_port_wait_events (self=0x611000001f80, tout=<optimized out>) at su_epoll_port.c:510
#15 0x0000000000a82a65 in su_base_port_run (self=0x611000001f80) at su_base_port.c:349
#16 0x00000000004dc07c in drachtio::DrachtioController::run (this=<optimized out>) at ../src/controller.cpp:1336
#17 0x00000000004647af in main (argc=9, argv=0x7fffffffe898) at ../src/main.cpp:47
(gdb) 
# drachtio -v
v0.8.19

I suppose that the issue is in libsofia-sip, but filing here because I can reproduce via drachtio.

Attaching the testcase as zipped, but to reproduce you need to unzip and replace the string 'PUBLIC_IP' with the public IP address of the server
assertion_failed.zip

davehorton added a commit that referenced this issue Nov 28, 2022
@davehorton
Copy link
Collaborator

fixed in v0.8.20-rc1

@asarubbo
Copy link
Author

CVE-2022-47516 has been assigned to this issue.

@asarubbo asarubbo changed the title tport.c:3313: tport_tsend: Assertion `self' failed. CVE-2022-47516: tport.c:3313: tport_tsend: Assertion `self' failed. Dec 20, 2022
@carnil
Copy link

carnil commented Feb 22, 2023

This has been as well fixed in the original sofia-sip as freeswitch/sofia-sip@cadf505

@davehorton
Copy link
Collaborator

fixed in davehorton/sofia-sip@77e79d2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants