This is a good example of a security issue that needs a security report. A user-crafted SIP message that can core a running proxy is no good.
We do need to alert all users and upgrade current releases.

/O

9 okt 2012 kl. 16:32 skrev Daniel-Constantin Mierla <miconda@gmail.com>:

Hello,

patch applied on master branch, soon it will be backported to stable branch.

Thanks,
Daniel

On 10/9/12 3:49 PM, Jijo wrote:
Hello,

kamailio cores when receives a corrupted route header. 
 

For example, this was causing the core.

 

Route: sip:10.236.236.100;transport=tcp;r2=on;lr;ftag=1348218287134-Test-553188;osb-tag=NM;nat=yes;twan=yes?[=& [=


I found the problem, the pointer was not initializing to null after freeing it. Please apply this fix in the next version.

Here is the diff with the original(3.2.2) and changed version.


PGA:/mnt/o/kamailio-3.2.2/parser # diff -u parse_param.c.orig parse_param.c

--- parse_param.c.orig  2012-10-09 09:42:58.372003500 -0300

+++ parse_param.c       2012-10-09 21:34:14.556367900 -0300

@@ -545,6 +545,7 @@

  error:

        if (t) pkg_free(t);

        free_params(*_p);

+        *_p = 0;

        return -2;


  ok:



Thanks
Jijo





_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev


-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 5-8, 2012 - http://asipto.com/u/kat
Kamailio Advanced Training, Miami, USA, Nov 12-14, 2012 - http://asipto.com/u/katu
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev