[Devel] [Fwd: [Serdev] CVS:commitlog: sip_router/modules/usrloc ucontact.c]

Bogdan-Andrei Iancu bogdan at voice-system.ro
Mon Jan 23 11:54:29 CET 2006


Hi Klaus,

the idea is good, but personally I do not agree with the implementation 
- to be more precise I do not agree with the idea of keeping in DB 
truncated values for important values like callid and contact - lead to 
inconsistent data. As for UA name (which is just as info), the 
truncating approach make sense, for callid and contact I will suggest 
rejecting the REGISTER requests with too long values - looks more 
healthier to me.

regards,
bogdan

Klaus Darilion wrote:

> I think this update is also interesting for openser
>
> regards
> klaus
>
> -------- Original Message --------
> Subject: [Serdev] CVS:commitlog: sip_router/modules/usrloc ucontact.c
> Date: Fri, 20 Jan 2006 19:27:43 +0100
> From: Maxim Sobolev <sobomax at portaone.com>
> To: serdev at iptel.org
>
> sobomax     2006/01/20 19:27:43 CET
>
>   SER CVS Repository
>
>   Modified files:
>     modules/usrloc       ucontact.c
>   Log:
>   When inserting/updating contacts in the DB make sure to not overflow 
> column
>   limit for user_agent, contact and callid columns. Otherwise the UA 
> can cause
>   DoS by sending (intentionally or not) value exceeding column limit in
>   any of the corresponding header fields. It is also probably an issue 
> with
>   error-handling (or lack of thereof) in particular DB backends, but on
>   0.9.3 with postgresql backend such unchecked insert causes segfault.
>
>   Revision  Changes    Path
>   1.45      +13 -8     sip_router/modules/usrloc/ucontact.c
> http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/usrloc/ucontact.c.diff?r1=1.44&r2=1.45 
>
>
> _______________________________________________
> Serdev mailing list
> Serdev at iptel.org
> http://mail.iptel.org/mailman/listinfo/serdev
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>




More information about the Devel mailing list