[Devel] [Fwd: [Serdev] CVS:commitlog: sip_router/modules/usrloc ucontact.c]

Bogdan-Andrei Iancu bogdan at voice-system.ro
Thu Jan 26 14:02:11 CET 2006


Hi Klaus,

I put all checks on register module - by this I both protect the memory 
(if no DB is used) and the DB for DOS attacks. Also  negative replies 
are generated if lengths are exceeded. Exception makes the User-Agent 
hdr - if it's too long, it will be stored like 'n/a' (not available).

if you have time, some test will be appreciated ;)

regards,
bogdan



Bogdan-Andrei Iancu wrote:

> Hi Klaus,
>
> the idea is good, but personally I do not agree with the 
> implementation - to be more precise I do not agree with the idea of 
> keeping in DB truncated values for important values like callid and 
> contact - lead to inconsistent data. As for UA name (which is just as 
> info), the truncating approach make sense, for callid and contact I 
> will suggest rejecting the REGISTER requests with too long values - 
> looks more healthier to me.
>
> regards,
> bogdan
>
> Klaus Darilion wrote:
>
>> I think this update is also interesting for openser
>>
>> regards
>> klaus
>>
>> -------- Original Message --------
>> Subject: [Serdev] CVS:commitlog: sip_router/modules/usrloc ucontact.c
>> Date: Fri, 20 Jan 2006 19:27:43 +0100
>> From: Maxim Sobolev <sobomax at portaone.com>
>> To: serdev at iptel.org
>>
>> sobomax     2006/01/20 19:27:43 CET
>>
>>   SER CVS Repository
>>
>>   Modified files:
>>     modules/usrloc       ucontact.c
>>   Log:
>>   When inserting/updating contacts in the DB make sure to not 
>> overflow column
>>   limit for user_agent, contact and callid columns. Otherwise the UA 
>> can cause
>>   DoS by sending (intentionally or not) value exceeding column limit in
>>   any of the corresponding header fields. It is also probably an 
>> issue with
>>   error-handling (or lack of thereof) in particular DB backends, but on
>>   0.9.3 with postgresql backend such unchecked insert causes segfault.
>>
>>   Revision  Changes    Path
>>   1.45      +13 -8     sip_router/modules/usrloc/ucontact.c
>> http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/usrloc/ucontact.c.diff?r1=1.44&r2=1.45 
>>
>>
>> _______________________________________________
>> Serdev mailing list
>> Serdev at iptel.org
>> http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>




More information about the Devel mailing list