[sr-dev] kamailio cores on corrupted route header

Olle E. Johansson oej at edvina.net
Tue Oct 9 18:50:09 CEST 2012


This is a good example of a security issue that needs a security report. A user-crafted SIP message that can core a running proxy is no good.
We do need to alert all users and upgrade current releases.

/O

9 okt 2012 kl. 16:32 skrev Daniel-Constantin Mierla <miconda at gmail.com>:

> Hello,
> 
> patch applied on master branch, soon it will be backported to stable branch.
> 
> Thanks,
> Daniel
> 
> On 10/9/12 3:49 PM, Jijo wrote:
>> Hello,
>> 
>> kamailio cores when receives a corrupted route header. 
>>  
>> For example, this was causing the core.
>> 
>>  
>> Route: sip:10.236.236.100;transport=tcp;r2=on;lr;ftag=1348218287134-Test-553188;osb-tag=NM;nat=yes;twan=yes?[=& [=
>> 
>> 
>> I found the problem, the pointer was not initializing to null after freeing it. Please apply this fix in the next version.
>> 
>> Here is the diff with the original(3.2.2) and changed version.
>> 
>> 
>> PGA:/mnt/o/kamailio-3.2.2/parser # diff -u parse_param.c.orig parse_param.c
>> 
>> --- parse_param.c.orig  2012-10-09 09:42:58.372003500 -0300
>> 
>> +++ parse_param.c       2012-10-09 21:34:14.556367900 -0300
>> 
>> @@ -545,6 +545,7 @@
>> 
>>   error:
>> 
>>         if (t) pkg_free(t);
>> 
>>         free_params(*_p);
>> 
>> +        *_p = 0;
>> 
>>         return -2;
>> 
>> 
>>   ok:
>> 
>> 
>> 
>> Thanks
>> Jijo
>> 
>> 
>> 
>> 
>> _______________________________________________
>> sr-dev mailing list
>> sr-dev at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
> 
> -- 
> Daniel-Constantin Mierla - http://www.asipto.com
> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
> Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
> _______________________________________________
> sr-dev mailing list
> sr-dev at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20121009/50c59a31/attachment-0001.htm>


More information about the sr-dev mailing list