< Previous by Date Date Index Next by Date >
  Thread Index Next in Thread >

[reSIProcate] bad_alloc exception in ConnectionBase.cxx


Hi,
We have run test with the Codenomicon test tool. It sends a BYE (tcp transport) with an unreasonable Content-Length:
INVITE sip:user@xxxxxxxxxxxxxx SIP/2.0
To: <sip:user@xxxxxxxxxxxxxx>
From: "user" <sip:user@xxxxxxxxxxxxxxxx:5060>;tag=00007359
Via: SIP/2.0/UDP from.example.com:5060;branch=z9hG4bK7359t1180001580949
Call-ID: s0c00007359i0t1180001580949@xxxxxxxxxxxxxxxx
Contact: "user" <sip:user@xxxxxxxxxxxxxxxx;transport=udp>
Content-Length: 1073741823
Content-Type: application/sdp
CSeq: 7359 INVITE
Max-Forwards: 70

v=0
o=user 1 1 IN IP4 192.168.2.44
s=Codenomicon SIP UAS Test Tool 3.2 (http://www.codenomicon.com/)
c=IN IP4 192.168.2.44
t=0 0
m=audio 49158 RTP/AVP 0
a=rtpmap:0 PCMU/8000


This causes a bad_alloc exception in ConnetionBase.cxx, so I've done a patch to do some kind of check if size is reasonable.

best regards
Björn


--- ConnectionBase.cxx.orig    2008-03-07 08:59:33.000000000 +0100
+++ ConnectionBase.cxx    2008-03-07 09:01:25.000000000 +0100
@@ -197,6 +197,8 @@
            {
               // The message header is complete.
               contentLength=mMessage->header(h_ContentLength).value();
+               if (contentLength > 65565)
+ throw resip::ParseBuffer::Exception("unreasonable length", "Content-Length", __FILE__, __LINE__);
            }
            catch(resip::ParseException& e)
            {
@@ -295,6 +297,8 @@
         try
         {
             contentLength = mMessage->header(h_ContentLength).value();
+             if (contentLength > 65565)
+ throw resip::ParseBuffer::Exception("unreasonable length", "Content-Length", __FILE__, __LINE__);
         }
         catch(resip::ParseException& e)
         {



--
This communication is confidential and intended solely for the addressee(s). 
Any unauthorized review, use, disclosure or distribution is prohibited. If you 
believe this message has been sent to you in error, please notify the sender by 
replying to this transmission and delete the message without disclosing it. 
Thank you.
E-mail including attachments is susceptible to data corruption, interruption, 
unauthorized amendment, tampering and viruses, and we only send and receive 
e-mails on the basis that we are not liable for any such corruption, 
interception, amendment, tampering or viruses or any consequences thereof.