[security] SDP Parser: out-of-memory condition (CVE-2017-11521)
reSIProcate Security Advisory, August 6th, 2017
VULNERABILITY
The reSIProcate Session Description Protocol (SDP) parser contains a
flaw where remote attackers could cause a denial of service due to
excessive memory consumption.
INFO
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2017-11521 to this issue.
When a SDP media type connection specification contains the optional
"<number of addresses>" field, the reSIProicate SDP parser allocates
one connection object per address without applying any upper limit.
For example the following lines in a SDP description would lead to
allocation of 20 billion connection objects that most probably will
exceed the available process address space:
m=audio 17124 RTP/AVP 0
c=IN IP4 192.168.2.122/127/2000000000
AFFECTED VERSIONS
This flaw exists in all reSIProcate releases up and including to 1.10.2.
THE SOLUTION
In the upcoming release 1.12.0, the parser now rejects more than 255
addresses.
A patch for CVE-2017-11521 is available here:
https://github.com/resiprocate/resiprocate/commit/4b8ffa5afd3291a2701f8d39c31ada443f79a5c8
TIME LINE
The issue was detected on July 21st, 2017 by Gregor Jasny using the LLVM
LibFuzzer implementation.
A patch was made available and merged to the master branch on July 25th,
2017.