[reSIProcate] bad_alloc exception in ConnectionBase.cxx

Byron Campen bcampen at estacado.net
Fri Mar 7 10:04:30 CST 2008 

	Yeah, a lot of nasty vulnerabilities have been fixed since the 1.0  
release. I would heartily recommend updating to 1.2.3.

Best regards,
Byron Campen

> I'm running on 1.0.2. I had a quick look with the code browser if  
> this was fixed, but apparently I missed it.
>
> sorry for the trouble
> Björn
>
> Byron Campen wrote:
>>     What revision are you working with? This had already been  
>> fixed on  head I thought.
>>
>> Best regards,
>> Byron Campen
>>
>>> Hi,
>>> We have run test with the Codenomicon test tool. It sends a BYE (tcp
>>> transport) with an unreasonable Content-Length:
>>> INVITE sip:user at to.example.com SIP/2.0
>>> To: <sip:user at to.example.com>
>>> From: "user" <sip:user at from.example.com:5060>;tag=00007359
>>> Via: SIP/2.0/UDP from.example.com:  
>>> 5060;branch=z9hG4bK7359t1180001580949
>>> Call-ID: s0c00007359i0t1180001580949 at from.example.com
>>> Contact: "user" <sip:user at from.example.com;transport=udp>
>>> Content-Length: 1073741823
>>> Content-Type: application/sdp
>>> CSeq: 7359 INVITE
>>> Max-Forwards: 70
>>>
>>> v=0
>>> o=user 1 1 IN IP4 192.168.2.44
>>> s=Codenomicon SIP UAS Test Tool 3.2 (http://www.codenomicon.com/)
>>> c=IN IP4 192.168.2.44
>>> t=0 0
>>> m=audio 49158 RTP/AVP 0
>>> a=rtpmap:0 PCMU/8000
>>>
>>>
>>> This causes a bad_alloc exception in ConnetionBase.cxx, so I've  
>>> done a
>>> patch to do some kind of check if size is reasonable.
>>>
>>> best regards
>>> Björn
>>>
>>>
>>> --- ConnectionBase.cxx.orig    2008-03-07 08:59:33.000000000 +0100
>>> +++ ConnectionBase.cxx    2008-03-07 09:01:25.000000000 +0100
>>> @@ -197,6 +197,8 @@
>>>              {
>>>                 // The message header is complete.
>>>                 contentLength=mMessage->header  
>>> (h_ContentLength).value();
>>> +               if (contentLength > 65565)
>>> +                  throw resip::ParseBuffer::Exception("unreasonable
>>> length", "Content-Length", __FILE__, __LINE__);
>>>              }
>>>              catch(resip::ParseException& e)
>>>              {
>>> @@ -295,6 +297,8 @@
>>>           try
>>>           {
>>>               contentLength = mMessage->header  
>>> (h_ContentLength).value();
>>> +             if (contentLength > 65565)
>>> +                throw resip::ParseBuffer::Exception("unreasonable
>>> length", "Content-Length", __FILE__, __LINE__);
>>>           }
>>>           catch(resip::ParseException& e)
>>>           {
>>>
>>>
>>>
>>> -- 
>>> This communication is confidential and intended solely for the   
>>> addressee(s). Any unauthorized review, use, disclosure or   
>>> distribution is prohibited. If you believe this message has been   
>>> sent to you in error, please notify the sender by replying to  
>>> this  transmission and delete the message without disclosing it.  
>>> Thank you.
>>> E-mail including attachments is susceptible to data corruption,   
>>> interruption, unauthorized amendment, tampering and viruses, and  
>>> we  only send and receive e-mails on the basis that we are not  
>>> liable  for any such corruption, interception, amendment,  
>>> tampering or  viruses or any consequences thereof.
>>>
>>> _______________________________________________
>>> resiprocate-devel mailing list
>>> resiprocate-devel at resiprocate.org
>>> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
>>
>
> -- 
> This communication is confidential and intended solely for the  
> addressee(s). Any unauthorized review, use, disclosure or  
> distribution is prohibited. If you believe this message has been  
> sent to you in error, please notify the sender by replying to this  
> transmission and delete the message without disclosing it. Thank you.
> E-mail including attachments is susceptible to data corruption,  
> interruption, unauthorized amendment, tampering and viruses, and we  
> only send and receive e-mails on the basis that we are not liable  
> for any such corruption, interception, amendment, tampering or  
> viruses or any consequences thereof.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20080307/860b0262/attachment.bin>

More information about the resiprocate-devel mailing list