Headline
CVE-2021-41396: [Live-devel] A Heap-overflow in FD_ISSET
Live555 through 1.08 does not handle socket connections properly. A huge number of incoming socket connections in a short time invokes the error-handling module, in which a heap-based buffer overflow happens. An attacker can leverage this to launch a DoS attack.
Ba Jinsheng bajinsheng at u.nus.edu
Wed Sep 8 22:28:48 PDT 2021
- Previous message (by thread): [Live-devel] Memory Leak in MPEGProgramStreamParser
- Next message (by thread): [Live-devel] A Heap-overflow in FD_ISSET
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
There may be another similar overflow bug about the fd_set in BasicUsageEnvironment/BasicTaskScheduler.cpp:115
for (int i = 0; i < 10000; ++i) { if (FD_ISSET(i, &fReadSet) || FD_ISSET(i, &fWriteSet) || FD_ISSET(i, &fExceptionSet)) { fprintf(stderr, " %d(", i); if (FD_ISSET(i, &fReadSet)) fprintf(stderr, “r”); if (FD_ISSET(i, &fWriteSet)) fprintf(stderr, “w”); if (FD_ISSET(i, &fExceptionSet)) fprintf(stderr, “e”); fprintf(stderr, ")"); } }
In default, the fd_set should only support 1024 fds. Sometimes, it incur the overflow as follow:
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000470 at pc 0x000000647338 bp 0x7ffff34b50d0 sp 0x7ffff34b50c8 READ of size 8 at 0x619000000470 thread T1 #0 0x647337 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61 #1 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5 #2 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41 #3 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14 #4 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock*, unsigned char, FramedSource*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22 #5 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6 #6 0x4e412f in RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17 #7 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19 #8 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3 #9 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15 #10 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2 #11 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5 #12 0x59bf95 in AC3AudioStreamParser::readAndSaveAFrame() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:314:41 #13 0x59bf95 in AC3AudioStreamFramer::samplingRate() /home/ubuntu/experiments/live555/liveMedia/AC3AudioStreamFramer.cpp:112:14 #14 0x52b7f6 in AC3AudioFileServerMediaSubsession::createNewRTPSink(Groupsock*, unsigned char, FramedSource*) /home/ubuntu/experiments/live555/liveMedia/AC3AudioFileServerMediaSubsession.cpp:60:22 #15 0x5e744e in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, sockaddr_storage const&, Port const&, Port const&, int, unsigned char, unsigned char, sockaddr_storage&, unsigned char&, unsigned char&, Port&, Port&, void*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:168:6 #16 0x4e412f in RTSPServer::RTSPClientSession::handleCmd_SETUP_afterLookup2(ServerMediaSession*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1514:17 #17 0x4e0235 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:831:19 #18 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:291:3 #19 0x4d22be in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:284:15 #20 0x6469f5 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:171:2 #21 0x64ef1a in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5
0x619000000470 is located 0 bytes to the right of 1008-byte region [0x619000000080,0x619000000470) allocated by thread T1 here: #0 0x4c789d in operator new(unsigned long) (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x4c789d) #1 0x645882 in BasicTaskScheduler::createNew(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:32:9
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:115:61 in BasicTaskScheduler::SingleStep(unsigned int) Shadow bytes around the buggy address: 0x0c327fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa 0x0c327fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==13==ABORTING
Best regards, Jinsheng Ba
-------------- next part -------------- An HTML attachment was scrubbed… URL: http://lists.live555.com/pipermail/live-devel/attachments/20210909/84e04d3f/attachment-0001.htm\
- Previous message (by thread): [Live-devel] Memory Leak in MPEGProgramStreamParser
- Next message (by thread): [Live-devel] A Heap-overflow in FD_ISSET
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the live-devel mailing list