Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-47515: terminate called after throwing an instance of 'std::length_error' #245

Closed
asarubbo opened this issue Nov 29, 2022 · 2 comments

Comments

@asarubbo
Copy link

Hi,

the following remote request is able to crash drachtio:

nc -w 5 PUBLIC_IP 5060 < file

terminate called after throwing an instance of 'std::length_error'
  what():  basic_string::_M_replace_aux
Aborted

A bit of backtrace here:

terminate called after throwing an instance of 'std::length_error'
  what():  basic_string::_M_replace_aux

Thread 1 "drachtio" received signal SIGABRT, Aborted.
0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6cb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff705e7ec in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007ffff7069966 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x00007ffff70699d1 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007ffff7069c65 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
#6  0x00007ffff706109a in std::__throw_length_error(char const*) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#7  0x00007ffff70f82cf in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_replace_aux(unsigned long, unsigned long, unsigned long, char) ()
   from /lib/x86_64-linux-gnu/libstdc++.so.6
#8  0x00000000004f10f5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::resize (__n=<optimized out>, this=0x617000004418)
    at /usr/include/c++/10/bits/basic_string.h:940
#9  drachtio::StackMsg::appendLine (szLine=<optimized out>, complete=true, this=0x617000004310) at ../src/controller.cpp:276
#10 drachtio::StackMsg::appendLine (this=0x617000004310, szLine=<optimized out>, complete=<optimized out>) at ../src/controller.cpp:272
#11 0x00000000004f4230 in (anonymous namespace)::__sofiasip_logger_func(void *, const char *, typedef __va_list_tag __va_list_tag *) (logarg=<optimized out>, 
    fmt=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n", ap=0x7fffffffb4e0) at ../src/controller.cpp:132
#12 0x00000000009f0304 in su_log (fmt=fmt@entry=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n") at su_log.c:95
#13 0x0000000000a30504 in tport_log_msg (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, what=what@entry=0xc24480 "recv", via=via@entry=0xc24440 "from", now=...)
    at tport_logging.c:901
#14 0x0000000000a21d47 in tport_deliver (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, next=next@entry=0x0, sc=<optimized out>, now=...) at tport.c:3081
#15 0x0000000000a224d0 in tport_parse (self=self@entry=0x615000004e00, complete=0, now=...) at tport.c:3015
#16 0x0000000000a23ee0 in tport_recv_event (self=0x615000004e00) at tport.c:2954
#17 0x0000000000a2a2e0 in tport_base_wakeup (self=0x615000004e00, events=1) at tport.c:2855
#18 0x0000000000a83e3c in su_epoll_port_wait_events (self=0x611000001e40, tout=<optimized out>) at su_epoll_port.c:510
#19 0x0000000000a82a45 in su_base_port_run (self=0x611000001e40) at su_base_port.c:349
#20 0x00000000004dc07c in drachtio::DrachtioController::run (this=<optimized out>) at ../src/controller.cpp:1336
#21 0x00000000004647af in main (argc=9, argv=0x7fffffffe898) at ../src/main.cpp:47
# drachtio -v
v0.8.20-rc1

Attaching the testcase as zipped, but to reproduce you need to unzip. No need to do replacements into the file, but please note that it is a tcp request and not udp like previous bugs.
length_error.zip

@davehorton
Copy link
Collaborator

fixed in v0.8.20-rc3

@asarubbo asarubbo changed the title terminate called after throwing an instance of 'std::length_error' CVE-2022-47515: terminate called after throwing an instance of 'std::length_error' Dec 20, 2022
@asarubbo
Copy link
Author

CVE-2022-47515 has been assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants