[Freeswitch-dev] ISSUES: webapi with iPhone, expr divide by zero
Michael Collins
mcollins at fcnetwork.com
Fri Aug 1 05:59:13 EDT 2008
FYI,
I stumbled across two potential issues. I'm sure if we don't deal with them then some overzealous security "expert" is going to flag these as vulnerabilities.
First off, expr probably needs some error checking. If you go to the CLI and type "expr 1/0" then your system will lock up. I had to kill -9 the pid to get it to clear out. I don't expect normal people to attempt to divide by zero but we might as well not leave a potential DoS hole open. (Let me know if you want a jira on this issue.)
Secondly, I am consistently able to get fs to crash when accessing an api or webapi command via the abyss/xmlrpc server. In the latest instance it crashed as soon as I connected to the server itself, but at least twice I was able to connect to the server but it core dumped as soon as I did any kind of api/webapi command. I have core dumps and I'll bt full them and get a jira open on this as well. I just wanted to alert you guys in case you are curious. It's almost 3am here so I'm not awake enough to make a coherent jira post atm.
I have tested the api/webapi with Safari on WinXP and Safari on OSX Leopard with no issues.
I'm pasting the bt full at the end of this email but I will include it also in the jira that I open up...
-MC
bt full
#0 0x0072bfd3 in strlen () from /lib/libc.so.6
No symbol table info available.
#1 0x0072bd15 in strdup () from /lib/libc.so.6
No symbol table info available.
#2 0x002673ab in TableAdd (t=0x0, name=0x292db0 "freeswitch-user", value=0x0)
at ../../../../libs/xmlrpc-c/lib/abyss/src/data.c:497
No locals.
#3 0x0026fa7e in ResponseAddField (sessionP=0xbe82a8,
name=0x292db0 "freeswitch-user", value=0x0)
at ../../../../libs/xmlrpc-c/lib/abyss/src/response.c:131
No locals.
#4 0x00263b12 in http_directory_auth (r=0xbe82a8,
domain_name=0x87bbd58 "192.168.50.229") at mod_xml_rpc.c:310
p = 0x87446a6 "dW5kZWZpbmVkOnVuZGVmaW5lZA=="
x = <value optimized out>
z = "freeswitch:works\000\201¾\000tch\"", '\0' <repeats 36 times>, "\001", '\0' <repeats 19 times>, "\001h)\000\002\000\000\000\000\000\000\000ÿÿÿÿ\000\000\000\000\200³\177\000h\213}\b\000\000\000\000\000\000\000\000\n\000\000\000\001\000\000\000\206\f~", '\0' <repeats 29 times>, " z¾\000\000\001\000\000\001\000\000\000\001", '\0' <repeats 15 times>, "±[r", '\0' <repeats 29 times>, "±[r\000¸Á\177\000QSr\000PÁ\177\000PÁ\177\0002048\000\000\0001\000\000\000\000(\000\000\000¨Å|\b"
t = "ZnJlZXN3aXRjaDp3b3Jrcw==\000\000\000\0000Á\177\000\200\000\000\000\---Type <return> to continue, or q <return> to quit---
030\000\000\000¼$~\000@#y\bQSr\000PÁ\177\000PÁ\17711456ô¯\177\000QSr\000\030\000\000\000,Á\177"
user = "undefined\000undefined", '\0' <repeats 489 times>, "d\000\000"
mypass1 = 0x0
mypass2 = 0x0
x_domain = (switch_xml_t) 0x86c4990
x_domain_root = (switch_xml_t) 0x86a9df8
x_user = (switch_xml_t) 0x0
x_params = <value optimized out>
x_param = (switch_xml_t) 0x0
box = 0x221d72 ""
at = 0
params = (switch_event_t *) 0x0
__PRETTY_FUNCTION__ = "http_directory_auth"
#5 0x002644ca in auth_hook (r=0xbe82a8) at mod_xml_rpc.c:389
new_uri = <value optimized out>
tmp = "°cy\b Á\177\000\021\000\000\000i\000\000\000\021\000\000\000PÁ\177\000Q\000\000\000Xcy\bh\000\000\000ð¼{\b\020\000\000\000ð¼{\b±[r\000ô¯\177\000`cy\b Á\177\000\220Ò\203\000\004\201¾\000\000\000\000\000\000\000\000\000L\000\000\000ÈÁ\177\000±[r\000¤\037r\000PÁ\177\000Xcy\b±[r\000\236 {\bÈ\000\000\000\000\000\000\000\210\232m\b¡z¾\000\003\000\000\000+\202p\000±[r\000PÂ\177\000W\201¾\000PÁ\177\000\030\000\000\000,Á\177\000QSr\000Ø\201¾\000\030\000\000\000,Á\177\000PÁ\177\000\000\000\000\000\002\000\000\000\226 {\bQSr\000\226 {\b"...
---Type <return> to continue, or q <return> to quit---
list = {0x292f61 "index.html", 0x292f6c "index.txt"}
domain_name = <value optimized out>
ret = 0
__PRETTY_FUNCTION__ = "auth_hook"
#6 0x00270939 in serverFunc (userHandle=0x87ba058)
at ../../../../libs/xmlrpc-c/lib/abyss/src/server.c:515
handlerP = <value optimized out>
srvP = (struct _TServer * const) 0x885ed68
requestCount = 1
#7 0x00266450 in connJob (userHandle=0x87ba058)
at ../../../../libs/xmlrpc-c/lib/abyss/src/conn.c:37
No locals.
#8 0x00274a32 in pthreadStart (arg=0x87bcb58)
at ../../../../libs/xmlrpc-c/lib/abyss/src/thread_pthread.c:48
__cancel_buf = {__cancel_jmp_buf = {{__cancel_jmp_buf = {2759784, 0,
12487568, 12485560, 325792842, 334691634}, __mask_was_saved = 0}},
__pad = {0xbe8470, 0x0, 0x0, 0x7faff4}}
__cancel_routine = (void (*)(void *)) 0x266480 <threadDone>
__cancel_arg = (void *) 0x87ba058
not_first_call = <value optimized out>
threadP = (struct abyss_thread * const) 0x87bcb58
#9 0x0083545b in start_thread () from /lib/libpthread.so.0
No symbol table info available.
---Type <return> to continue, or q <return> to quit---
#10 0x0078d24e in clone () from /lib/libc.so.6
No symbol table info available.
(gdb)
More information about the Freeswitch-dev
mailing list