[SR-Users] kamailio 3.1.0 crash on ssl-dos attack

Daniel-Constantin Mierla miconda at gmail.com
Wed Nov 23 12:25:49 CET 2011 

for reference: the discussion is continued on sr-dev mailing list only 
as it requires mainly devel interaction.

On 11/22/11 11:30 PM, Jijo wrote:
> Hi All,
>
> Kamailio is resetting when we do TLS renegotiation dos attack using 
> the tool available at http://www.thc.org/thc-ssl-dos/.
>
> Anybody looked at this issue? How we could resolve it. Any idea?
>
> The core generated for 3 pid's as below
>
> Pid 1:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f 
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  atomic_inc_int () at atomic/atomic_x86.h:225
> (gdb) bt
> #0  atomic_inc_int () at atomic/atomic_x86.h:225
> #1  cfg_update_local () at cfg/cfg_struct.h:228
> #2  timer_main () at timer.c:994
> #3  0x080b0579 in main_loop () at main.c:1632
> #4  0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
>
> Pid 2:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f 
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30, 
> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296)
>     at mem/q_malloc.c:184
> 184                     if (frag->size <= f->size) break;
> (gdb) bt
> #0  0x0819bfe8 in qm_insert_free (qm=0xaf6c5000, p=0xb05eec30, 
> file=0xb6fb4140 "tls: tls_init.c", func=0xb6fb4ce0 "ser_free", line=296)
>     at mem/q_malloc.c:184
> #1  qm_free (qm=0xaf6c5000, p=0xb05eec30, file=0xb6fb4140 "tls: 
> tls_init.c", func=0xb6fb4ce0 "ser_free", line=296) at mem/q_malloc.c:518
> #2  0xb6f95404 in ser_free (ptr=0xb05eec30) at tls_init.c:296
> #3  0xb732e9ba in CRYPTO_free (str=0xb05eec30) at mem.c:391
> #4  0xb7330bee in int_new_ex_data (class_index=5, obj=0xbfd414f4, 
> ad=0xbfd41574) at ex_data.c:440
> #5  0xb7330443 in CRYPTO_new_ex_data (class_index=5, obj=0xbfd414f4, 
> ad=0xbfd41574) at ex_data.c:575
> #6  0xb73dfde3 in X509_STORE_CTX_init (ctx=0xbfd414f4, 
> store=0xafd8b3d0, x509=0xafe08ff0, chain=0x0) at x509_vfy.c:2114
> #7  0xb74b0f31 in ssl3_output_cert_chain (s=0xb0553a10, x=0xafe08ff0) 
> at s3_both.c:349
> #8  0xb74a4728 in ssl3_send_server_certificate (s=0xb0553a10) at 
> s3_srvr.c:3034
> #9  0xb74a5879 in ssl3_accept (s=0xb0553a10) at s3_srvr.c:353
> #10 0xb74afa8f in ssl3_read_bytes (s=0xb0553a10, type=23, 
> buf=0xb0ad44ec "", len=4095, peek=0) at s3_pkt.c:1266
> #11 0xb74ac9c9 in ssl3_read_internal (s=0xb0553a10, buf=0xb0ad44ec, 
> len=4095, peek=0) at s3_lib.c:3265
> #12 0xb74c24a9 in SSL_read (s=0xb0553a10, buf=0xb0ad44ec, num=4095) at 
> ssl_lib.c:954
> #13 0xb6fad1c3 in tls_read_f (c=0xb0ad431c, flags=0xbfd619c4) at 
> tls_server.c:1058
> #14 0x08171c0e in tcp_read_headers (c=0xb0ad431c, 
> read_flags=0xbfd619c4) at tcp_read.c:406
> #15 0x08171db8 in tcp_read_req (con=0xb0ad431c, bytes_read=0xbfd619cc, 
> read_flags=0xbfd619c4) at tcp_read.c:885
> #16 0x08172f67 in handle_io (fm=<value optimized out>, events=1, 
> idx=<value optimized out>) at tcp_read.c:1234
> #17 0x0817583b in io_wait_loop_epoll (unix_sock=89) at io_wait.h:1092
> #18 tcp_receive_loop (unix_sock=89) at tcp_read.c:1345
> #19 0x0816e2e9 in tcp_init_children () at tcp_main.c:4867
> #20 0x080affb1 in main_loop () at main.c:1646
> #21 0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
> Pid 3:
>
> Core was generated by `/usr/sbin/kamailio -u swrun -g sw -m 120 -f 
> /etc/kamailio/kamailio.cfg'.
> Program terminated with signal 11, Segmentation fault.
> #0  0xb76c9e7c in memmove () from /lib/libc.so.6
> (gdb) bt
> #0  0xb76c9e7c in memmove () from /lib/libc.so.6
> #1  0x081724e7 in tcp_read_req (con=0xb022c8f0, bytes_read=0xbfd619cc, 
> read_flags=0xbfd619c4) at tcp_read.c:1026
> #2  0x08172f67 in handle_io (fm=<value optimized out>, events=1, 
> idx=<value optimized out>) at tcp_read.c:1234
> #3  0x0817583b in io_wait_loop_epoll (unix_sock=93) at io_wait.h:1092
> #4  tcp_receive_loop (unix_sock=93) at tcp_read.c:1345
> #5  0x0816e2e9 in tcp_init_children () at tcp_main.c:4867
> #6  0x080affb1 in main_loop () at main.c:1646
> #7  0x080b1be4 in main (argc=9, argv=0xbfd61e54) at main.c:2446
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- http://www.asipto.com
Kamailio Advanced Training, Dec 5-8, Berlin: http://asipto.com/u/kat
http://linkedin.com/in/miconda -- http://twitter.com/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20111123/fa3c41c9/attachment.htm>

More information about the sr-users mailing list