[sr-dev] kamailio 3.1.0 crash on ssl-dos attack

Jijo realjijo at gmail.com
Wed Nov 23 16:01:59 CET 2011 

Thanks I will attach the logs soon..meanwhile here is the kamailio and
openssl version

OB151:~ # /usr/sbin/kamailio -V
version: kamailio 3.1.0 (i386/linux) 21a375
flags: STATS: Off, USE_IPV6, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS,
USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, DBG_QM_MALLOC,
USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER,
USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
MAX_URI_SIZE 1024, BUF_SIZE 65535, PKG_SIZE 15MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 21a375
compiled on 09:22:51 Nov  4 2011 with gcc 4.5.0


OB151:~ # openssl version -a
OpenSSL 1.0.0 29 Mar 2010
built on: 2011-05-31 07:52:17.000000000 +0000
platform: linux-elf
options:  bn(64,32) rc4(4x,int) des(ptr,risc1,16,long) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H
-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -fomit-frame-pointer
-fmessage-length=0 -O2 -Wall
-D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -g -Wa,--noexecstack -fomit-frame-pointer
-fno-strict-aliasing
-DTERMIO -Wall -fstack-protector  -DOPENSSL_BN_ASM_PART_WORDS
-DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/etc/ssl"


On Wed, Nov 23, 2011 at 4:44 AM, Daniel-Constantin Mierla <miconda at gmail.com
> wrote:

>  Hello,
>
> (discussion kept only on sr-dev as it is very likely going to require
> mostly devel interaction).
>
> What is the version of kamailio (-V command line option). Also, send the
> verision of openssl library -- there were many bugs in various lib versions
> that had to be workarounded in the module, maybe this is a new one that has
> to be fixed.
>
> Do you get any error message in the syslog at the moment of the crash?
>
> What would be useful is to get the memory operations log, you can get it
> by setting:
>
> memdbg=1
> memlog=1
>
> in config file.
>
> Then repeat the test and make the log available for download somehow (if
> it is too big), from start to the moment of the crash.
>
> Cheers,
> Daniel
>
>
> On 11/22/11 11:30 PM, Jijo wrote:
>
> Hi All,
>
> Kamailio is resetting when we do TLS renegotiation dos attack using the
> tool available at  http://www.thc.org/thc-ssl-dos/.
>
> Anybody looked at this issue? How we could resolve it. Any idea?
>
> The core generated for 3 pid's as below
>
> Pid 1:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  atomic_inc_int () at atomic/atomic_x86.h:225
> (gdb) bt
> #0  atomic_inc_int () at atomic/atomic_x86.h:225
> #1  cfg_update_local () at cfg/cfg_struct.h:228
> #2  timer_main () at timer.c:994
> #3  0x080b0579 in main_loop () at main.c:1632
> #4  0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
>
> Pid 2:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30,
> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296)
>     at mem/q_malloc.c:184
> 184                     if (frag->size <= f->size) break;
> (gdb) bt
> #0  0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30,
> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296)
>     at mem/q_malloc.c:184
> #1  qm_free (qm=0xaf6c5000, p=0xb05eec30, file=0xb6fb4140 "tls:
> tls_init.c", func=0xb6fb4ce0 "ser_free", line=296) at mem/q_malloc.c:518
> #2  0xb6f95404 in ser_free (ptr=0xb05eec30) at tls_init.c:296
> #3  0xb732e9ba in CRYPTO_free (str=0xb05eec30) at mem.c:391
> #4  0xb7330bee in int_new_ex_data (class_index=5, obj=0xbfd414f4,
> ad=0xbfd41574) at ex_data.c:440
> #5  0xb7330443 in CRYPTO_new_ex_data (class_index=5, obj=0xbfd414f4,
> ad=0xbfd41574) at ex_data.c:575
> #6  0xb73dfde3 in X509_STORE_CTX_init (ctx=0xbfd414f4, store=0xafd8b3d0,
> x509=0xafe08ff0, chain=0x0) at x509_vfy.c:2114
> #7  0xb74b0f31 in ssl3_output_cert_chain (s=0xb0553a10, x=0xafe08ff0) at
> s3_both.c:349
> #8  0xb74a4728 in ssl3_send_server_certificate (s=0xb0553a10) at
> s3_srvr.c:3034
> #9  0xb74a5879 in ssl3_accept (s=0xb0553a10) at s3_srvr.c:353
> #10 0xb74afa8f in ssl3_read_bytes (s=0xb0553a10, type=23, buf=0xb0ad44ec
> "", len=4095, peek=0) at s3_pkt.c:1266
> #11 0xb74ac9c9 in ssl3_read_internal (s=0xb0553a10, buf=0xb0ad44ec,
> len=4095, peek=0) at s3_lib.c:3265
> #12 0xb74c24a9 in SSL_read (s=0xb0553a10, buf=0xb0ad44ec, num=4095) at
> ssl_lib.c:954
> #13 0xb6fad1c3 in tls_read_f (c=0xb0ad431c, flags=0xbfd619c4) at
> tls_server.c:1058
> #14 0x08171c0e in tcp_read_headers (c=0xb0ad431c, read_flags=0xbfd619c4)
> at tcp_read.c:406
> #15 0x08171db8 in tcp_read_req (con=0xb0ad431c, bytes_read=0xbfd619cc,
> read_flags=0xbfd619c4) at tcp_read.c:885
> #16 0x08172f67 in handle_io (fm=<value optimized out>, events=1,
> idx=<value optimized out>) at tcp_read.c:1234
> #17 0x0817583b in io_wait_loop_epoll (unix_sock=89) at io_wait.h:1092
> #18 tcp_receive_loop (unix_sock=89) at tcp_read.c:1345
> #19 0x0816e2e9 in tcp_init_children () at tcp_main.c:4867
> #20 0x080affb1 in main_loop () at main.c:1646
> #21 0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
> Pid 3:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  0xb76c9e7c in memmove () from /lib/libc.so.6
> (gdb) bt
> #0  0xb76c9e7c in memmove () from /lib/libc.so.6
> #1  0x081724e7 in tcp_read_req (con=0xb022c8f0, bytes_read=0xbfd619cc,
> read_flags=0xbfd619c4) at tcp_read.c:1026
> #2  0x08172f67 in handle_io (fm=<value optimized out>, events=1,
> idx=<value optimized out>) at tcp_read.c:1234
> #3  0x0817583b in io_wait_loop_epoll (unix_sock=93) at io_wait.h:1092
> #4  tcp_receive_loop (unix_sock=93) at tcp_read.c:1345
> #5  0x0816e2e9 in tcp_init_children () at tcp_main.c:4867
> #6  0x080affb1 in main_loop () at main.c:1646
> #7  0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
>
>
>
> _______________________________________________
> sr-dev mailing listsr-dev at lists.sip-router.orghttp://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
>
>
> --
> Daniel-Constantin Mierla -- http://www.asipto.com
> Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kathttp://linkedin.com/in/miconda -- http://twitter.com/miconda
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20111123/8ffae260/attachment.htm>

More information about the sr-dev mailing list