Bug#1003719: stund: killed with assertion failed message

Yann Droneaud ydroneaud at opteya.com
Fri Jan 14 09:11:54 GMT 2022 

Package: stun-server
Version: 0.97~dfsg-2.1+b1
Severity: normal
Tags: upstream

Dear Maintainer,

Through fuzzing with AFL++, a STUN request raising the following
assertion in stund was found:

    stund: stun.cxx:791: void stunCreateUserName(const StunAddress4&, StunAtrString*): Assertion `l%4 == 0' failed.

One UDP datagram that triggers the assertion is:

    $ echo AAIAAGS0zoCspgAAAGS0tM6ArPc= | base64 -d | hexdump -C
    00000000  00 02 00 00 64 b4 ce 80  ac a6 00 00 00 64 b4 b4  |....d........d..|
    00000010  ce 80 ac f7                                       |....|
    00000014

This packet can be sent with:

    $ echo AAIAAGS0zoCspgAAAGS0tM6ArPc= | base64 -d | socat - UDP-DATAGRAM:10.0.2.15:3478

Stacktrace:

    $ gdb /usr/sbin/stund
    (gdb) run -v -h 10.0.2.15
    Starting program: /usr/sbin/stund -v -h 10.0.2.15
    STUN server version 0.97
    If your machine does not have exactly two ethernet interfaces, you must specify the server and alt server
    Running with on interface 10.0.2.15:3478 with alternate 0.0.0.0:3479
    Warning - no alternate ip address STUN will not work
    Binding to interface 0xf02000a
    Opened port 3478 with fd 3
    Binding to interface 0xf02000a
    Opened port 3479 with fd 4
    received on A1:P1
    Got a request (len=20) from 10.0.2.15:47005
    Received stun message: 20 bytes
    Request parsed ok
    Received SharedSecretRequestMsg on udp. send error 433.
    stund: stun.cxx:791: void stunCreateUserName(const StunAddress4&, StunAtrString*): Assertion `l%4 == 0' failed.

    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    (gdb) bt
    #0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7af7535 in __GI_abort () at abort.c:79
    #2  0x00007ffff7af740f in __assert_fail_base (fmt=0x7ffff7c59ee0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x55555555e76d "l%4 == 0", 
        file=0x55555555e705 "stun.cxx", line=791, function=<optimized out>) at assert.c:92
    #3  0x00007ffff7b05102 in __GI___assert_fail (assertion=assertion at entry=0x55555555e76d "l%4 == 0", file=file at entry=0x55555555e705 "stun.cxx", 
        line=line at entry=791, 
        function=function at entry=0x55555555f5c0 <stunCreateUserName(StunAddress4 const&, StunAtrString*)::__PRETTY_FUNCTION__> "void stunCreateUserName(const StunAddress4&, StunAtrString*)") at assert.c:101
    #4  0x0000555555556a30 in stunCreateUserName (source=..., username=username at entry=0x7fffffff9dbe) at stun.cxx:791
    #5  0x00005555555597bd in stunCreateSharedSecretResponse (response=..., source=..., request=...) at stun.cxx:1007
    #6  stunServerProcessMsg (buf=buf at entry=0x7fffffffa230 "", bufLen=<optimized out>, from=..., secondary=..., myAddr=..., altAddr=..., resp=<optimized out>, 
        destination=<optimized out>, hmacPassword=<optimized out>, changePort=<optimized out>, changeIp=<optimized out>, verbose=<optimized out>)
        at stun.cxx:1058
    #7  0x000055555555b532 in stunServerProcess (info=..., verbose=<optimized out>) at stun.cxx:1566
    #8  0x000055555555622c in main (argc=<optimized out>, argv=<optimized out>) at server.cxx:222

The problem is found in stunCreateUserName() in stun.cxx:

    762 void
    763 stunCreateUserName(const StunAddress4& source, StunAtrString* username)
    [...] 
    770    char buffer[1024];
    771    sprintf(buffer,
    772            "%08x:%08x:%08x:",
    773            UInt32(source.addr),
    774            UInt32(stunRand()),
    775            UInt32(lotime));
    [...]
    783    char hmacHex[41];
    784    toHex(hmac, 20, hmacHex );
    785    hmacHex[40] =0;
    786
    787    strcat(buffer,hmacHex);
    788
    789    int l = strlen(buffer);
    790    assert( l+1 < STUN_MAX_STRING );
    791    assert( l%4 == 0 );

    buffer's length is always a multiple of 3, not 4, due to the number
    of colons specified in sprintf()'s format string.

Remark:

    buffer's length must be a multiple of 4, as STUN message attributes
    must be aligned on 4 byte boundary.

-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages stun-server depends on:
ii  libc6       2.28-10
ii  libgcc1     1:8.3.0-6
ii  libstdc++6  8.3.0-6

Versions of packages stun-server recommends:
ii  stun-client  0.97~dfsg-2.1+b1

stun-server suggests no packages.

-- no debconf information

More information about the Pkg-voip-maintainers mailing list