[sr-dev] [tracker] Assignee added: Crash if t_release() is executed after t_relay_to(), when this last returns -1
Henning Westerholt
hw at kamailio.org
Thu Dec 1 13:15:23 CET 2011
On Thursday 01 December 2011, Daniel-Constantin Mierla wrote:
> > IMHO also certain denial of service attacks belongs to the "security bug"
> > class. If somebody can easily bring my service down because of e.g. a
> > crash during the processing of misformated (network) input then the
> > availability of the service can be easily compromised.
>
> Then flooding to fill the pipe will cause same kind of issue to
> availability of the service - a bug of the infrastructure.
>
> As expressed in another email just sent, imo there are two categories
> here: stability and security
Hi Daniel,
well, there is a difference between a "simple" DDOS attack, which of course
can bring every service down given a big enough attackers bandwith, and a
crash on single invalid (SIP, SSL setup etc..) message which is IMHO clearly a
vulnerarbility.
The "classical" information security definition is CIA - confidentiality,
integrity and availability. A break in due a software bug would be a breach of
integrity, the discussed crash would affect the availability and e.g. a wrong
usage of TLS that causes missing encryption in messages would be breach of the
confidentially.
http://en.wikipedia.org/wiki/Information_security
But you're right, i guess the right person to make this descision is the one
that will work on this stuff in the end..
Best regards,
Henning
More information about the sr-dev
mailing list