[Devel] [Fwd: [Serdev] CVS:commitlog: sip_router/modules/usrloc
ucontact.c]
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Thu Jan 26 14:02:11 CET 2006
Hi Klaus,
I put all checks on register module - by this I both protect the memory
(if no DB is used) and the DB for DOS attacks. Also negative replies
are generated if lengths are exceeded. Exception makes the User-Agent
hdr - if it's too long, it will be stored like 'n/a' (not available).
if you have time, some test will be appreciated ;)
regards,
bogdan
Bogdan-Andrei Iancu wrote:
> Hi Klaus,
>
> the idea is good, but personally I do not agree with the
> implementation - to be more precise I do not agree with the idea of
> keeping in DB truncated values for important values like callid and
> contact - lead to inconsistent data. As for UA name (which is just as
> info), the truncating approach make sense, for callid and contact I
> will suggest rejecting the REGISTER requests with too long values -
> looks more healthier to me.
>
> regards,
> bogdan
>
> Klaus Darilion wrote:
>
>> I think this update is also interesting for openser
>>
>> regards
>> klaus
>>
>> -------- Original Message --------
>> Subject: [Serdev] CVS:commitlog: sip_router/modules/usrloc ucontact.c
>> Date: Fri, 20 Jan 2006 19:27:43 +0100
>> From: Maxim Sobolev <sobomax at portaone.com>
>> To: serdev at iptel.org
>>
>> sobomax 2006/01/20 19:27:43 CET
>>
>> SER CVS Repository
>>
>> Modified files:
>> modules/usrloc ucontact.c
>> Log:
>> When inserting/updating contacts in the DB make sure to not
>> overflow column
>> limit for user_agent, contact and callid columns. Otherwise the UA
>> can cause
>> DoS by sending (intentionally or not) value exceeding column limit in
>> any of the corresponding header fields. It is also probably an
>> issue with
>> error-handling (or lack of thereof) in particular DB backends, but on
>> 0.9.3 with postgresql backend such unchecked insert causes segfault.
>>
>> Revision Changes Path
>> 1.45 +13 -8 sip_router/modules/usrloc/ucontact.c
>> http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/usrloc/ucontact.c.diff?r1=1.44&r2=1.45
>>
>>
>> _______________________________________________
>> Serdev mailing list
>> Serdev at iptel.org
>> http://mail.iptel.org/mailman/listinfo/serdev
>>
>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/devel
>>
>
>
> _______________________________________________
> Devel mailing list
> Devel at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/devel
>
More information about the Devel
mailing list