[tracker] Task opened: msg_parser memory leak (Attachment added) - sr-dev

19 Sep 2011

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.
A new Flyspray task has been opened.  Details are below.
User who did this - Walter Doekes (wdoekes)
Attached to Project - sip-router
Summary - msg_parser memory leak
Task Type - Bug Report
Category - Core
Status - Assigned
Assigned To - Andrei Pelinescu-Onciul
Operating System - All
Severity - High
Priority - Normal
Reported Version - 3.1
Due in Version - Undecided
Due Date - Undecided
Details - Hi,
parser/msg_parser get_hdr_field forgets to clean up to_b parameters when pkg_free'ing to_b (To-body) on error.
A properly crafted SIP packet can cause kamailio/siprouter to run out of memory.
Example:
{{{
$ diff -pu sipsak-0.9.6/request.c{.orig,}

--- sipsak-0.9.6/request.c.orig	2011-09-19 11:28:43.793987925 +0200
+++ sipsak-0.9.6/request.c	2011-09-19 11:28:59.473988046 +0200
@@ -262,7 +262,7 @@ void create_msg(int action, char *req_bu
    			"%s sip:%s%s%s"
    			"%s%s %s:9;branch=z9hG4bK.%08x\r\n"
    			"%ssip:sipsak@%s:9;tag=%x\r\n"
-				"%ssip:%s%s\r\n"
+				"%ssip:%s%s;tag=crap;\r\n"
    			"%s%u@%s\r\n"
    			"%s%i %s\r\n"
    			"%ssip:sipsak@%s:9\r\n"
}}}
This patched sipsak will let the children calling parse_to quickly to run out of memory.
When parsing the To: body, parse_to_param adds tag=crap. Later it trips on the trailing semi-colon and returns an error. The caller only frees the container to_b and not the parsed parameters.
Fix: replace pkg_free with free_to.
Before the patch:
{{{
Sep 19 11:40:07 walter-desktop kamailio[15119]: ERROR: <core> [parser/parse_to.c:814]: ERROR: parse_to: invalid To -  unexpected end of header in state 13
Sep 19 11:40:07 walter-desktop kamailio[15121]: ERROR: <core> [parser/parse_to.c:506]: ERROR: parse_to_param : unexpected end of header, status 20: <<;tag=crap;#015#012>> .
Sep 19 11:40:07 walter-desktop kamailio[15121]: ERROR: <core> [parser/parse_to.c:814]: ERROR: parse_to: invalid To -  unexpected end of header in state 13
Sep 19 11:40:07 walter-desktop kamailio[15121]: ERROR: <core> [parser/msg_parser.c:179]: ERROR: get_hdr_field: bad to header
Sep 19 11:40:07 walter-desktop kamailio[15121]: INFO: <core> [parser/msg_parser.c:353]: ERROR: bad header field [To: sip:localhost;ta]
}}}
and after a while
{{{
Sep 19 11:40:39 walter-desktop kamailio[15120]: ERROR: <core> [parser/parse_to.c:286]: ERROR: parse_to_param - out of memory
Sep 19 11:40:39 walter-desktop kamailio[15120]: ERROR: <core> [parser/parse_to.c:814]: ERROR: parse_to: invalid To -  unexpected end of header in state 27
Sep 19 11:40:39 walter-desktop kamailio[15120]: INFO: <core> [parser/msg_parser.c:353]: ERROR: bad header field [To: sip:localhost;ta]
}}}
After the patch: no more leaks and kamailio keeps on running smoothly.
Note that I added a free_cseq() in the patch as well. It only calls pkg_free, but if that were to change, get_hdr_field would be prepared.
Regards,
Walter Doekes
OSSO B.V.
One or more files have been attached.
More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=155
You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

    