Headline
CVE-2022-47515: terminate called after throwing an instance of 'std::length_error' · Issue #245 · drachtio/drachtio-server
An issue was discovered in drachtio-server before 0.8.20. It allows remote attackers to cause a denial of service (daemon crash) via a long message in a TCP request that leads to std::length_error.
Hi,
the following remote request is able to crash drachtio:
nc -w 5 PUBLIC_IP 5060 < file
terminate called after throwing an instance of 'std::length_error'
what(): basic_string::_M_replace_aux
Aborted
A bit of backtrace here:
terminate called after throwing an instance of 'std::length_error'
what(): basic_string::_M_replace_aux
Thread 1 "drachtio" received signal SIGABRT, Aborted.
0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff705e7ec in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#3 0x00007ffff7069966 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#4 0x00007ffff70699d1 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
#5 0x00007ffff7069c65 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
#6 0x00007ffff706109a in std::__throw_length_error(char const*) () from /lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007ffff70f82cf in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_replace_aux(unsigned long, unsigned long, unsigned long, char) ()
from /lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00000000004f10f5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::resize (__n=<optimized out>, this=0x617000004418)
at /usr/include/c++/10/bits/basic_string.h:940
#9 drachtio::StackMsg::appendLine (szLine=<optimized out>, complete=true, this=0x617000004310) at ../src/controller.cpp:276
#10 drachtio::StackMsg::appendLine (this=0x617000004310, szLine=<optimized out>, complete=<optimized out>) at ../src/controller.cpp:272
#11 0x00000000004f4230 in (anonymous namespace)::__sofiasip_logger_func(void *, const char *, typedef __va_list_tag __va_list_tag *) (logarg=<optimized out>,
fmt=0xc27e40 "%s ", '-' <repeats 72 times>, "\n", ap=0x7fffffffb4e0) at ../src/controller.cpp:132
#12 0x00000000009f0304 in su_log (fmt=fmt@entry=0xc27e40 "%s ", '-' <repeats 72 times>, "\n") at su_log.c:95
#13 0x0000000000a30504 in tport_log_msg (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, what=what@entry=0xc24480 "recv", via=via@entry=0xc24440 "from", now=...)
at tport_logging.c:901
#14 0x0000000000a21d47 in tport_deliver (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, next=next@entry=0x0, sc=<optimized out>, now=...) at tport.c:3081
#15 0x0000000000a224d0 in tport_parse (self=self@entry=0x615000004e00, complete=0, now=...) at tport.c:3015
#16 0x0000000000a23ee0 in tport_recv_event (self=0x615000004e00) at tport.c:2954
#17 0x0000000000a2a2e0 in tport_base_wakeup (self=0x615000004e00, events=1) at tport.c:2855
#18 0x0000000000a83e3c in su_epoll_port_wait_events (self=0x611000001e40, tout=<optimized out>) at su_epoll_port.c:510
#19 0x0000000000a82a45 in su_base_port_run (self=0x611000001e40) at su_base_port.c:349
#20 0x00000000004dc07c in drachtio::DrachtioController::run (this=<optimized out>) at ../src/controller.cpp:1336
#21 0x00000000004647af in main (argc=9, argv=0x7fffffffe898) at ../src/main.cpp:47
# drachtio -v
v0.8.20-rc1
Attaching the testcase as zipped, but to reproduce you need to unzip. No need to do replacements into the file, but please note that it is a tcp request and not udp like previous bugs.
length_error.zip