[sr-dev] [tracker] Task opened: Crash in msrp module

Wed, 16 Apr 2014 08:04:41 -0700 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Luis Martin (lmartin) 

Attached to Project - sip-router
Summary - Crash in msrp module
Task Type - Bug Report
Category - Module
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - When a non-rfc compliant MSRP message is received Kamailio crashes. 

MSRP message used to trigger (notice From-Path before To-Path):
    MSRP 253291932 SEND
    From-Path: msrp://64.58.53.27:5823/9000001399;tcp
    To-Path: msrp://66.170.58.133:9000/0;tcp 
msrp://dz3prq5k.invalid:9000/a520utdsm7;ws
    Message-ID: T00000577C253291932
    Byte-Range: 1-14/14
    Content-Type: text/plain
    
    Test
    -------253291932$

This makes the Kamailio msrp parser to properly allow this even though it's not 
fully rfc4975 compliant: (check MSRP RFC grammar)
    headers = To-Path CRLF From-Path CRLF 1*( header CRLF )
    To-Path = "To-Path:" SP MSRP-URI *( SP MSRP-URI )
    From-Path = "From-Path:" SP MSRP-URI *( SP MSRP-URI )
    (...)


And makes the 'msrp_netio' to crash. 
(https://github.com/kamailio/kamailio/blob/master/modules/msrp/msrp_netio.c#L107)
        memcpy(p, mf->buf.s, tpath->body.s - mf->buf.s);
        p += tpath->body.s - mf->buf.s;
        memcpy(p, l + 1, fpath->body.s - l - 1);
        p += fpath->body.s - l - 1;
        memcpy(p, tpath->body.s, l + 1 - tpath->body.s);
        p += l + 1 - tpath->body.s;
        memcpy(p, fpath->name.s + 11, mf->buf.s + mf->buf.len - fpath->name.s - 
11);
        p += mf->buf.s + mf->buf.len - fpath->name.s - 11;


Solution adopted is to make more the parser more robust, check 
luismartingil/msrp_crash branch in git Kamailio repo.

Thanks,
Luis Martin Gil

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=419

You are receiving this message because you have requested it from the Flyspray 
bugtracking system.  If you did not expect this message or don't want to 
receive mails in future, you can change your notification settings at the URL 
shown above.

_______________________________________________
sr-dev mailing list
[email protected]
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

Reply via email to