< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

Re: [reSIProcate] [patch] possible DoS with REFER Event: header

From: Aron Rosenberg <arosenberg@xxxxxxxxxxxx>
Date: Sun, 11 Dec 2011 13:23:22 -0800

It looks like this patch never got applied.

After reviewing it, I might make DUM a little more tolerant and just ignore the bad header instead of rejecting the request. Something like

if (request.exists(h_Event))

request.remove(h_Event);

right before you call makeServerSubscription, but RFC 3515 says nothing about an Event header in a REFER message being allowed or dis-allowed, so I would err on the side of caution.

Aron Rosenberg

Sr. Director, Engineering,

LifeSize, a division of Logitech

On Fri, Nov 18, 2011 at 7:56 AM, Robert Szokovacs <robert.szokovacs@xxxxxxxxxxx> wrote:

Hi,

When DUM receives a REFER with and "Event:" header, it will use the value
provided by the client (see BaseSubscription.cxx:22), and later it will cause
an assert() in ServerSubscription.cxx:208.
The attached patch fixes this and reject such request with 489.

br

Szo
_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxx
https://list.resiprocate.org/mailman/listinfo/resiprocate-devel

Follow-Ups:
- Re: [reSIProcate] [patch] possible DoS with REFER Event: header
  - From: Scott Godin
- Re: [reSIProcate] [patch] possible DoS with REFER Event: header
  - From: Robert Szokovacs

References:
- [reSIProcate] [patch] possible DoS with REFER Event: header
  - From: Robert Szokovacs

Prev by Date: [reSIProcate] reSIP developers check
Next by Date: Re: [reSIProcate] [patch] possible DoS with REFER Event: header
Previous by thread: [reSIProcate] [patch] possible DoS with REFER Event: header
Next by thread: Re: [reSIProcate] [patch] possible DoS with REFER Event: header
Index(es):
- Date
- Thread