A heap-buffer-overflow error in sngrep while processing a malformed SIP packet, caused by accessing memory beyond allocated bounds in the rtp_check_packet function tested on sngrep - 1.8.1.
==728054==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000029c0 at pc 0x0000004e34f6 bp 0x7ffff46f9570 sp 0x7ffff46f9568
READ of size 4 at 0x6040000029c0 thread T1
#0 0x4e34f5 in rtp_check_packet /sngrep/src/rtp.c:275:25
#1 0x4cb08c in capture_packet_parse /sngrep/src/capture.c:993:23
#2 0x4c84a4 in parse_packet /sngrep/src/capture.c:455:9
#3 0x7ffff7f13466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
#4 0x7ffff7f01f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
#5 0x4c76ab in capture_thread /sngrep/src/capture.c:1069:5
#6 0x7ffff7ed3608 in start_thread /build/glibc-wuryBv/glibc-2.31/nptl/pthread_create.c:477:8
#7 0x7ffff7c7e352 in clone /build/glibc-wuryBv/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x6040000029c0 is located 3 bytes to the right of 45-byte region [0x604000002990,0x6040000029bd)
allocated by thread T1 here:
#0 0x49735d in malloc (/sngrep/src/sngrep+0x49735d)
#1 0x4ce743 in packet_set_payload /sngrep/src/packet.c:145:27
Thread T1 created by T0 here:
#0 0x48210a in pthread_create (/sngrep/src/sngrep+0x48210a)
#1 0x4cb93f in capture_launch_thread /sngrep/src/capture.c:1054:13
#2 0x4d7616 in main /sngrep/src/main.c:451:9
#3 0x7ffff7b83082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /sngrep/src/rtp.c:275:25 in rtp_check_packet
Shadow bytes around the buggy address:
0x0c087fff84e0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
0x0c087fff84f0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8500: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c087fff8510: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8520: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff8530: fa fa 00 00 00 00 00 05[fa]fa fa fa fa fa fa fa
0x0c087fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==728054==ABORTING
Malformed SIP packet.
?ò?000000000000000000000N000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000N00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Content-Length:0228
000000000000000000000000000000000000000000000000000000000000000000
00000000 10.33.6.100
m=00000 6000 RTP/00000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B00000000000000000000000000000000000000000000000000000000000000000000000000000050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000000000000000000000000000000000000000000000000000000000000000000000000000Z00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B000000000000000000000000000000000000000000000000000000000000000000000000000000?0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000V000000000000000000E0H000000000
!d00q0000??000000000000000000000000??000000000000
Commit refernece: da80ced
File reference: (src/rtp.c)
@@ -271,6 +271,10 @@ rtp_check_packet(packet_t *packet)
// Check RTCP packet header typ
switch (hdr.type) {
case RTCP_HDR_SR:
// Ensure there is enough payload to fill the header
if (size < sizeof(struct rtcp_hdr_sr))
break;
// Get Sender Report header
memcpy(&hdr_sr, payload, sizeof(hdr_sr));
stream->rtcpinfo.spc = ntohl(hdr_sr.spc);
@@ -283,6 +287,10 @@ rtp_check_packet(packet_t *packet)
case RTCP_PSFB:
break;
case RTCP_XR:
// Ensure there is enough payload to fill the header
if (size < sizeof(struct rtcp_hdr_xr))
break;
// Get Sender Report Extended header
memcpy(&hdr_xr, payload, sizeof(hdr_xr));
bsize = sizeof(hdr_xr);This above commit checks if the RTCP packet payload is large enough to handle the XR header, and based on that it copies the XR header into the hdr_xr function and sets the bsize variable to the size of the XR header.
CVE-2024-35434 was assigned to this.