[sr-dev] kamailio 3.1.0 crash on ssl-dos attack

Daniel-Constantin Mierla miconda at gmail.com
Wed Nov 23 10:44:27 CET 2011


Hello,

(discussion kept only on sr-dev as it is very likely going to require 
mostly devel interaction).

What is the version of kamailio (-V command line option). Also, send the 
verision of openssl library -- there were many bugs in various lib 
versions that had to be workarounded in the module, maybe this is a new 
one that has to be fixed.

Do you get any error message in the syslog at the moment of the crash?

What would be useful is to get the memory operations log, you can get it 
by setting:

memdbg=1
memlog=1

in config file.

Then repeat the test and make the log available for download somehow (if 
it is too big), from start to the moment of the crash.

Cheers,
Daniel

On 11/22/11 11:30 PM, Jijo wrote:
> Hi All,
>
> Kamailio is resetting when we do TLS renegotiation dos attack using 
> the tool available at http://www.thc.org/thc-ssl-dos/.
>
> Anybody looked at this issue? How we could resolve it. Any idea?
>
> The core generated for 3 pid's as below
>
> Pid 1:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f 
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  atomic_inc_int () at atomic/atomic_x86.h:225
> (gdb) bt
> #0  atomic_inc_int () at atomic/atomic_x86.h:225
> #1  cfg_update_local () at cfg/cfg_struct.h:228
> #2  timer_main () at timer.c:994
> #3  0x080b0579 in main_loop () at main.c:1632
> #4  0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
>
> Pid 2:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f 
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30, 
> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296)
>     at mem/q_malloc.c:184
> 184                     if (frag->size <= f->size) break;
> (gdb) bt
> #0  0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30, 
> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296)
>     at mem/q_malloc.c:184
> #1  qm_free (qm=0xaf6c5000, p=0xb05eec30, file=0xb6fb4140 "tls: 
> tls_init.c", func=0xb6fb4ce0 "ser_free", line=296) at mem/q_malloc.c:518
> #2  0xb6f95404 in ser_free (ptr=0xb05eec30) at tls_init.c:296
> #3  0xb732e9ba in CRYPTO_free (str=0xb05eec30) at mem.c:391
> #4  0xb7330bee in int_new_ex_data (class_index=5, obj=0xbfd414f4, 
> ad=0xbfd41574) at ex_data.c:440
> #5  0xb7330443 in CRYPTO_new_ex_data (class_index=5, obj=0xbfd414f4, 
> ad=0xbfd41574) at ex_data.c:575
> #6  0xb73dfde3 in X509_STORE_CTX_init (ctx=0xbfd414f4, 
> store=0xafd8b3d0, x509=0xafe08ff0, chain=0x0) at x509_vfy.c:2114
> #7  0xb74b0f31 in ssl3_output_cert_chain (s=0xb0553a10, x=0xafe08ff0) 
> at s3_both.c:349
> #8  0xb74a4728 in ssl3_send_server_certificate (s=0xb0553a10) at 
> s3_srvr.c:3034
> #9  0xb74a5879 in ssl3_accept (s=0xb0553a10) at s3_srvr.c:353
> #10 0xb74afa8f in ssl3_read_bytes (s=0xb0553a10, type=23, 
> buf=0xb0ad44ec "", len=4095, peek=0) at s3_pkt.c:1266
> #11 0xb74ac9c9 in ssl3_read_internal (s=0xb0553a10, buf=0xb0ad44ec, 
> len=4095, peek=0) at s3_lib.c:3265
> #12 0xb74c24a9 in SSL_read (s=0xb0553a10, buf=0xb0ad44ec, num=4095) at 
> ssl_lib.c:954
> #13 0xb6fad1c3 in tls_read_f (c=0xb0ad431c, flags=0xbfd619c4) at 
> tls_server.c:1058
> #14 0x08171c0e in tcp_read_headers (c=0xb0ad431c, 
> read_flags=0xbfd619c4) at tcp_read.c:406
> #15 0x08171db8 in tcp_read_req (con=0xb0ad431c, bytes_read=0xbfd619cc, 
> read_flags=0xbfd619c4) at tcp_read.c:885
> #16 0x08172f67 in handle_io (fm=<value optimized out>, events=1, 
> idx=<value optimized out>) at tcp_read.c:1234
> #17 0x0817583b in io_wait_loop_epoll (unix_sock=89) at io_wait.h:1092
> #18 tcp_receive_loop (unix_sock=89) at tcp_read.c:1345
> #19 0x0816e2e9 in tcp_init_children () at tcp_main.c:4867
> #20 0x080affb1 in main_loop () at main.c:1646
> #21 0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
> Pid 3:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f 
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  0xb76c9e7c in memmove () from /lib/libc.so.6
> (gdb) bt
> #0  0xb76c9e7c in memmove () from /lib/libc.so.6
> #1  0x081724e7 in tcp_read_req (con=0xb022c8f0, bytes_read=0xbfd619cc, 
> read_flags=0xbfd619c4) at tcp_read.c:1026
> #2  0x08172f67 in handle_io (fm=<value optimized out>, events=1, 
> idx=<value optimized out>) at tcp_read.c:1234
> #3  0x0817583b in io_wait_loop_epoll (unix_sock=93) at io_wait.h:1092
> #4  tcp_receive_loop (unix_sock=93) at tcp_read.c:1345
> #5  0x0816e2e9 in tcp_init_children () at tcp_main.c:4867
> #6  0x080affb1 in main_loop () at main.c:1646
> #7  0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
>
>
>
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

-- 
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20111123/9cf1c6d9/attachment.htm>


More information about the sr-dev mailing list