[sr-dev] Playing with Kamailio: passing invalid values without a quotes, segfaults, invalid casting, possible C code execution inside config, questions, etc...

20 Jan 2013


      Hello,
While developing and testing my new application (app_java) I've experienced
a very wierd behaviour.
a simple line:
 ismethod(free(malloc(0)));
in kamailio config file produces a segfault:
 0(2227) ERROR: <core> [cfg.y:3455]: cfg. parser: failed to find command
malloc
 0(2227) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 640, column 25: unknown
command, missing loadmodule?
Program received signal SIGSEGV, Segmentation fault.
0x081defde in yyparse () at cfg.y:3480
3480                    if ($1 && mod_func_action->val[1].u.number <
MAX_ACTIONS-2) {
(gdb)
so, let's pass a very wierd values :-) :
See following:
here is a small code snippet:
----------
exported functions definition (params from 2 to 7): { "java_exec",
(cmd_function)java_exec, 7,   NULL, 0,       ANY_ROUTE },
function prototype: int java_exec(struct sip_msg *msg, char *method_name,
char *signature, char *p1, char *p2, char *p3, char *p4, char *p5);
----------
1)
 java_exec("test",
"Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;", "str1", "str2",
"str3");
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;", "str1", 5,
"str3");
0(854) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;', params:
'str1', 'str2', 'str3', '(null)', '(null)'
 0(854) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;', params: 'str1', '5',
'str3', '(null)', '(null)'
2)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;B", "str1", 5,
"str3", 77);
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;B", "str1", 5,
"str3", 0x77);
0(854) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;B', params: 'str1', '5',
'str3', '77', '(null)'
 0(877) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;B', params: 'str1', '5',
'str3', '119', '(null)'
so, 77 is '77', 0x77 is '119' (hex conversion, ok)
3)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", true);
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", false);
0(907) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', '5',
'str3', '1', '(null)'
 0(907) ERROR: app_java [java_iface.c:81]: java_exec(): method_name='test',
signature='Ljava/lang/String;ILjava/lang/String;Z', params: 'str1', '5',
'str3', '0', '(null)'
so, true is '1', false is '0'. What is it ?
4)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", TRUE);
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", FALSE);
0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 632, column 86: syntax error
 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 632, column 86: '('')'
expected (function call)
 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 633, column 87: syntax error
 0(931) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 633, column 87: '('')'
expected (function call)
ERROR: bad config file (4 errors)
5)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", is_method("INVITE"));
Program received signal SIGSEGV, Segmentation fault.
fix_rval_expr (p=p@entry=0xb55dad00) at rvalue.c:3791
3791                            return fix_rval(&rve->left.rval);
(gdb)
6)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", is_unknown_method("INVITE"));
Program received signal SIGSEGV, Segmentation fault.
0x081defde in yyparse () at cfg.y:3480
3480                    if ($1 && mod_func_action->val[1].u.number <
MAX_ACTIONS-2) {
(gdb)
7)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", nonexistent_value);
0(1022) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: syntax error
 0(1022) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: '('')'
expected (function call)
ERROR: bad config file (2 errors)
8)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", nonexistent_function());
0(1035) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: syntax error
 0(1035) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 634, column 99: '('')'
expected (function call)
 0(1035) ERROR: <core> [cfg.y:3455]: cfg. parser: failed to find command
nonexistent_function
 0(1035) : <core> [cfg.y:3594]: parse error in config file
/opt/kamailio/etc/kamailio/kamailio.cfg, line 635, column 103: unknown
command, missing loadmodule?
Program received signal SIGSEGV, Segmentation fault.
0x081defde in yyparse () at cfg.y:3480
3480                    if ($1 && mod_func_action->val[1].u.number <
MAX_ACTIONS-2) {
(gdb)
9)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", 7777777777777777777777777777777777);
0(1368) ERROR: app_java [java_iface.c:81]: java_exec():
method_name='test', signature='Ljava/lang/String;ILjava/lang/String;Z',
params: 'str1', '5', 'str3', '2147483647', '(null)'
so, 7777777777777777777777777777777777 is '2147483647' (INT_MAX)
10)
 java_exec("test", "Ljava/lang/String;ILjava/lang/String;Z", "str1", 5,
"str3", 0x5 << 1);
0(1392) ERROR: app_java [java_iface.c:81]: java_exec():
method_name='test', signature='Ljava/lang/String;ILjava/lang/String;Z',
params: 'str1', '5', 'str3', '10', '(null)'
----------------------------------
Creating a new function java_exec2 with int param:
exported function:     { "java_exec2", (cmd_function)java_exec2, 2,   NULL,
0,     ANY_ROUTE },
prototype: int java_exec2(struct sip_msg *msg, char *method_name, int
param);
java_exec2("test", 5);
0(1690) ERROR: app_java [java_mod.c:56]: java_exec2(): method_name='test',
params: '-1252293208'
changing prototype to: int java_exec2(struct sip_msg *msg, char
*method_name, void *param);
 and trying to cast to (char*):
0(1867) ERROR: app_java [java_mod.c:56]: java_exec2(): method_name='test',
params: '5'
so, the params are being forcibly cast to (char *) ? Why the params aren't
void pointers ?
-------------------------------------------

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] Playing with Kamailio: passing invalid values without a quotes, segfaults, invalid casting, possible C code execution inside config, questions, etc...