[sr-dev] Bug in www_authorize/challenge functions

Alex Balashov abalashov at evaristesys.com
Thu Oct 7 09:17:34 CEST 2010 

Attached:

- core.gz - compressed core file, just in case it is useful.
- pcap.txt - capture of the REGISTER requests.
- bt.txt - the GDB backtrace.

I compiled with -DEXTRA_DEBUG but a lot of strings have still been 
optimised out. What is the appropriate make target to compile with 
maximum debug info, disable all optimisations, etc?

 From the backtrace, it looks to me as though it is trying to parse a 
digest header with nonce even though it is not in the request, 
although I may be mistaken.

On 10/07/2010 02:56 AM, Alex Balashov wrote:

> All right, will do.  Compiling with debug symbols now for extra
> information.
>
> I don't think it is Postgres-related; I briefly looked at the
> backtrace and there was no evidence at all of database activity. Nor
> did a TCP packet capture show any database activity. Instead, it
> seemed to me like the fact that the initial REGISTER request arrived
> without digest/auth headers (like it's supposed to) was taken as
> evidence that user does not exist without further developments.
>
> I will post the backtrace as soon as I have it.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 1170 Peachtree Street
> 12th Floor, Suite 1200
> Atlanta, GA 30309
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
> On Oct 7, 2010, at 2:45 AM, Daniel-Constantin Mierla
> <miconda at gmail.com> wrote:
>
>>
>>
>> On 10/7/10 7:03 AM, Alex Balashov wrote:
>>> I have tinkered with various combinations of modparam values for
>>> 'qop', 'nonce_count', and 'one_time_nonce' to see if it makes a
>>> difference. It does not.
>> Please send the backtrace. It is strange since authentication was
>> deployed on many tests, but with mysql. Might be related to some of
>> latest changes in postgres module.
>>
>> Cheers,
>> Daniel
>>
>>>
>>> On 10/07/2010 01:00 AM, Alex Balashov wrote:
>>>
>>>> Actually, on further investigation, I think auth <-> auth_db is very
>>>> broken in 3.1.0, at least when auth_db is used with Postgres. I
>>>> imagine this is because the new 'auth' is from the SER side and
>>>> 'auth_db' is from the Kamailio extraction.
>>>>
>>>> In the below script, www_authorize() returns -1 even though the user
>>>> is valid and is in the database table. However, when I look at my
>>>> Postgres server's query logs, Kamailio does not actually check the
>>>> 'subscriber' table to see if the user exists, nor is the table
>>>> demand-loaded at startup. The user and the domain are both quite
>>>> valid.
>>>>
>>>> I have my script set to send_reply("403", "Forbidden") and 'exit'
>>>> when
>>>> www_authorize() returns -1, because if it's an invalid user, there is
>>>> no point in challenging them. If I remove this reply and 'exit'
>>>> however, to test what happens if I www_challenge() anyway, then
>>>> Kamailio crashes.
>>>>
>>>> On 10/06/2010 11:58 PM, Alex Balashov wrote:
>>>>
>>>>> I seem to be able to crash Kamailio v3.1 by doing this when
>>>>> handling a
>>>>> REGISTER:
>>>>>
>>>>> if(!www_authorize("$td", "subscriber")) {
>>>>> # $rc is -1 - "invalid user"
>>>>>
>>>>> www_challenge("$td", "1");
>>>>> exit;
>>>>> }
>>>>>
>>>>> In other words, it cannot find the user, but I call www_challenge()
>>>>> anyway, and get a segfault. Can anyone reproduce, before I
>>>>> attempt to
>>>>> obtain a backtrace?
>>>>>
>>>>
>>>>
>>>
>>>
>>
>> --
>> Daniel-Constantin Mierla
>> http://www.asipto.com
>>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev


-- 
Alex Balashov - Principal
Evariste Systems LLC
1170 Peachtree Street
12th Floor, Suite 1200
Atlanta, GA 30309
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: core.gz
Type: application/gzip
Size: 1040003 bytes
Desc: not available
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20101007/8e93e46f/attachment-0001.bin>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pcap.txt
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20101007/8e93e46f/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bt.txt
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20101007/8e93e46f/attachment-0003.txt>

More information about the sr-dev mailing list