Re: [OpenSIPS-Users] OpenSIPS Crash

Fri, 08 Jun 2018 09:29:00 -0700

That we already know, dear sir! But before simply fixing this issue and moving on, my question is: How many more OpenSIPS functions (sip_trace() included) are still subject to such a basic vulnerability?
(probably this will turn into a GitHub ticket that will be assigned to me. Oh well, at least it's for the better good of the community) 

Cheers,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 08.06.2018 18:58, Schneur Rosenberg wrote:

A malformed sip packet should not crash OpenSIPS it should just give
an error and move on

On Fri, Jun 8, 2018 at 3:00 PM, Ben Newlin <ben.new...@genesys.com> wrote:

Liviu,



I am very impressed! I was indeed sending a malformed invite just like the
one you posted, specifically with the missing line termination before the
Call-ID.



Thanks,

Ben Newlin





From: Users <users-boun...@lists.opensips.org> on behalf of Liviu Chircu
<li...@opensips.org>
Reply-To: OpenSIPS users mailling list <users@lists.opensips.org>
Date: Friday, June 8, 2018 at 5:17 AM
To: "users@lists.opensips.org" <users@lists.opensips.org>
Subject: Re: [OpenSIPS-Users] OpenSIPS Crash



Hi Ben,

Excellent report! I managed to reproduce the crash on first try:

Core was generated by `./opensips -m64 -M16 -f
cfg/opensips-2.4-sipp-siptrace.cfg -w .'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20,
info=0x7f799468d5e0) at siptrace.c:1646
1646        db_vals[1].val.str_val.s = msg->callid->body.s;
(gdb) bt
#0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20,
info=0x7f799468d5e0) at siptrace.c:1646
#1  0x00007f7987cd7c8d in sip_trace_w (msg=0x7f799817fd20,
param1=0x7f7998169110 "\001", param2=0x2 <error: Cannot access memory at
address 0x2>, param3=0x7f79981691f8 "\001", param4=0x0) at siptrace.c:1590
#2  0x0000000000445082 in do_action (a=0x7f79981589a0, msg=0x7f799817fd20)
at action.c:1864
#3  0x000000000043ccf7 in run_action_list (a=0x7f79981589a0,
msg=0x7f799817fd20) at action.c:172

Quick question for you: you are sending a malformed INVITE, correct? Here is
how mine looked like:

INVITE sip:sipp@127.0.0.1:5060 SIP/2.0.
Via: SIP/2.0/UDP 127.0.0.1:7000;branch=z9hG4bK-1988-1-0.
From: sipp <sip:sipp@127.0.0.1:7000>;tag=123456789.
To: sut <sip:sipp@127.0.0.1:5060>.
CSeq: 1 INVITE.
Contact: <sip:sipp@127.0.0.1:7000>   Call-ID: 1-1988@127.0.0.1.
Max-Forwards: 70.
Subject: Performance Test.
Content-Type: application/sdp.
Content-Length:   129.
.
v=0.
o=user1 53655765 2353687637 IN IP4 127.0.0.1.
s=-.
c=IN IP4 127.0.0.1.
t=0 0.
m=audio 6001 RTP/AVP 0.
a=rtpmap:0 PCMU/8000.

Notice how OpenSIPS will be unable to parse the Call-ID header field, hence
the immediate crash in sip_trace(), as it's unable to handle a NULL Call-ID.

Best regards,

Liviu Chircu

OpenSIPS Developer

http://www.opensips-solutions.com

On 07.06.2018 22:24, Ben Newlin wrote:

Hi,



While running a new test scenario I encountered an OpenSIPS crash.



version: opensips 2.3.3 (x86_64/linux)

flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC,
FAST_LOCK-ADAPTIVE_WAIT

ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

git revision: a0bed9d

main.c compiled on 21:08:28 May 16 2018 with gcc 4.8.5



Logs: https://pastebin.com/3vL3rbG4

BT: https://pastebin.com/tTp32ASC



Let me know if anything else is needed.



Thanks,

Ben Newlin






_______________________________________________

Users mailing list

Users@lists.opensips.org

http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users























					Reply via email to