Re: [Iaxclient-devel] possible security hole in iax.c

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Alexander

Do you have patches that addresses these two issues?

Pete

On Tue, Apr 22, 2008 at 3:09 PM, Alexander Vassilev
<ava...@vo...> wrote:
> Hi all,
>
>  If you remember from the past, there was a security issue with
>  iax_net_process() tolerating frames that are amaller in size than the
>  frame header itself. There were checks, but they only logged warnings,
>  and didnt prevent a possible exploit. There was a security advisory on
>  this, on securityfocus or somewhere else, not sure. The fix was to add a
>  return statement if the checks catch a malformed packet. Now, looking at
>  the code, I see the following:
>  code from iax.c:
>
>  struct iax_event *iax_net_process(unsigned char *buf, int len, struct sockaddr_in *sin)
>   {
>         struct ast_iax2_full_hdr *fh = (struct ast_iax2_full_hdr *)buf;
>         struct ast_iax2_mini_hdr *mh = (struct ast_iax2_mini_hdr *)buf;
>         struct ast_iax2_video_hdr *vh = (struct ast_iax2_video_hdr *)buf;
>         struct iax_session *session;
>
>         if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
>         /* Full size header */
>                 if ((size_t)len < sizeof(struct ast_iax2_full_hdr)) {
>                 DEBU(G "Short header received from %s\n", inet_ntoa(sin->sin_addr));
>                 IAXERROR "Short header received from %s\n", inet_ntoa(sin->sin_addr));
>                 return NULL;
>         }
>
>  ...
>  Note that there is no check if we actually have the 2 bytes in hte
>  buffer that represent fh->scallno. What happens if we receive a frame
>  with size 1 byte?
>
>  I also noticed an erroneous comment in this function - this one is not a
>  security risk :) but would be good if its fixed
>  code from iax.c:
>
>  3236            /* Miniature, voice frame */
>  3237            if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000))
>
>
>
>  This is actually a miniature video frame
>
>  Best regards
>
>  Alexander Vassilev
>  Senior software engineer
>  VoipGATE S.A.
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>  Don't miss this year's exciting event. There's still time to save $100.
>  Use priority code J8TL2D2.
>  http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>  _______________________________________________
>  Iaxclient-devel mailing list
>  Iax...@li...
>  https://lists.sourceforge.net/lists/listinfo/iaxclient-devel
>