[OpenSIPS-Users] Segfault crash in siptrace.c in OpenSIPs 2.2.7

Liviu Chircu liviu at opensips.org
Tue Oct 16 04:44:30 EDT 2018


Hi Jon,

This sip_trace() vulnerability was reported (and solved!) before [1] 
but, for some reason, I didn't push the fix for it... will do it asap!

Cheers,

[1]: http://lists.opensips.org/pipermail/users/2018-June/039515.html

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 15.10.2018 22:49, Jon Abrams wrote:
> Howdy,
>
> I've had a few crashes on one of my instances running OpenSIPs 2.2.7 
> over the last couple of days. It appears to be an issue in the 
> siptrace.c file when a message without a call-id gets traced. For example:
>
> SIP/2.0 400 Bad Request
> Via: SIP/2.0/UDP 45.35.xx.xx:5060;branch=z9hG4bK8a78.32fc86e1.2
> Via: SIP/2.0/UDP 
> 199.242.xx.xx:5060;branch=z9hG4bK1sansay3360535464rdb10237
> From: <sip:+1984#1916424xxxx at 199.242.xx.xx>;tag=sansay3360535464rdb10237
> To: <sip:916424xxxx at 206.147.xx.xx>
> CSeq: 1 INVITE
> Error-Info: <sip:916424xxxx at 206.147.xx.xx>;cause="[line 007] SIP 
> syntax error"
> Content-Length: 0
>
> Resulting in a core file and a gdb backtrace of:
>
> (gdb) bt
> #0  0x00007f11bea1ece1 in sip_trace (msg=0x7f1244250148, 
> info=0x7ffc09a008f0)
>     at siptrace.c:1563
> #1  0x00007f11bea29084 in sip_trace_w (msg=0x7f1244250148,
>     param1=<optimized out>, param2=<optimized out>, param3=<optimized 
> out>)
>     at siptrace.c:1506
> #2  0x000000000044c518 in do_action (a=a at entry=0x7f124421f548,
>     msg=msg at entry=0x7f1244250148) at action.c:1844
> #3  0x0000000000453075 in run_action_list (msg=<optimized out>,
>     a=<optimized out>) at action.c:172
> #4  run_actions (msg=0x7f1244250148, a=<optimized out>) at action.c:137
> #5  run_top_route (a=<optimized out>, msg=msg at entry=0x7f1244250148)
>     at action.c:204
> #6  0x00007f11c0e6703f in reply_received (p_msg=0x7f1244250148)
>     at t_reply.c:1458
> #7  0x000000000047be6c in forward_reply (msg=msg at entry=0x7f1244250148)
>     at forward.c:495
> #8  0x0000000000459b82 in receive_msg (
>     buf=0x8683e0 <buf.8308> "SIP/2.0 400 Bad Request\r\nVia: 
> SIP/2.0/UDP 45.35.xx.xx:5060;branch=z9hG4bK8a78.32fc86e1.2\r\nVia: 
> SIP/2.0/UDP 
> 199.242.xx.xx:5060;branch=z9hG4bK1sansay3360535464rdb10237\r\nFrom: 
> <sip:+1984#1916424xxxx at 199."..., len=<optimized out>, 
> rcv_info=rcv_info at entry=0x7ffc09a01250,
>     existing_context=existing_context at entry=0x0) at receive.c:257
> #9  0x00000000005bded6 in udp_read_req (si=<optimized out>,
>
>
> The code at line 1552 in siptrace.c that should handle this doesn't 
> seem to be triggered:
>
>         if(parse_headers(msg, HDR_CALLID_F, 0)!=0)
>         {
>                 LM_ERR("cannot parse call-id\n");
>                 goto error;
>         }
>
> Resulting in a bad pointer dereference and segfault here at line 1563:
>         db_vals[1].val.str_val.s = msg->callid->body.s;
>
>
> If I change line 1552 to match the code in that the pv_get_callid 
> function use to check the call-id, siptrace seems to detect the 
> missing call-id fine. Here's a diff on the 2.2.7 siptrace.c
>
> --- orig/opensips-2.2.7/modules/siptrace/siptrace.c 2018-05-24 
> 16:33:57.000000000 +0000
> +++ fixed/opensips-2.2.7/modules/siptrace/siptrace.c 2018-10-15 
> 19:17:39.020664338 +0000
> @@ -1549,7 +1549,9 @@
>                 goto error;
>         }
>
> -       if(parse_headers(msg, HDR_CALLID_F, 0)!=0)
> +       if(msg->callid==NULL && ((parse_headers(msg, HDR_CALLID_F, 
> 0)==-1) ||
> + (msg->callid==NULL)) )
> +
>         {
>                 LM_ERR("cannot parse call-id\n");
>                 goto error;
>
> Again, its only an issue if sip tracing is enabled (in my case hep 
> transported to Homer) with messages missing a call-id. As far as I can 
> tell, this may still exist in the master branch, but I've only tested 
> in the 2.2.x releases.
>
> - Jon Abrams
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20181016/879a43ec/attachment-0001.html>


More information about the Users mailing list