< Previous by Date	Date Index	Next by Date >
	Thread Index

[security] SDP Parser: out-of-memory condition (CVE-2017-11521)

From: Gregor Jasny <gjasny@xxxxxxxxxxxxxx>
Date: Sun, 6 Aug 2017 16:59:24 +0200

reSIProcate Security Advisory, August 6th, 2017

VULNERABILITY

The reSIProcate Session Description Protocol (SDP) parser contains a
flaw where remote attackers could cause a denial of service due to
excessive memory consumption.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2017-11521 to this issue.

When a SDP media type connection specification contains the optional
"<number of addresses>" field, the reSIProicate SDP parser allocates
one connection object per address without applying any upper limit.

For example the following lines in a SDP description would lead to
allocation of 20 billion connection objects that most probably will
exceed the available process address space:

m=audio 17124 RTP/AVP 0
c=IN IP4 192.168.2.122/127/2000000000

AFFECTED VERSIONS

This flaw exists in all reSIProcate releases up and including to 1.10.2.

THE SOLUTION

In the upcoming release 1.12.0, the parser now rejects more than 255
addresses.

A patch for CVE-2017-11521 is available here:
https://github.com/resiprocate/resiprocate/commit/4b8ffa5afd3291a2701f8d39c31ada443f79a5c8

TIME LINE

The issue was detected on July 21st, 2017 by Gregor Jasny using the LLVM
LibFuzzer implementation.

A patch was made available and merged to the master branch on July 25th,
2017.

Prev by Date: [security] ares_parse_a_reply out-of-bounds read (CVE-2017-9454)
Next by Date: [reSIProcate-users] Port range - for outgoing connections
Previous by thread: [security] ares_parse_a_reply out-of-bounds read (CVE-2017-9454)
Next by thread: [reSIProcate-users] Port range - for outgoing connections
Index(es):
- Date
- Thread