#556 Segfault in multipart parsing when delimiters are missing

1.8.x
closed-fixed
core (110)
9
2012-09-17
2012-09-10
Ryan Bullock
No

Looks like there may be a segfault in sdp parsing. I have attached a backtrace from a segfault that we recently saw. This happens very infrequently, so I think it may be related to only certain inputs.

Opensips information:
version: opensips 1.8.1-notls (x86_64/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
svnrevision: 2:9221M
@(#) $Id: main.c 8772 2012-03-08 11:16:13Z bogdan_iancu $
main.c compiled on 19:56:43 Aug 17 2012 with gcc 4.4.6

Discussion

  • Ryan Bullock
    Ryan Bullock
    2012-09-10

    full back trace

     
    Attachments
  • Ryan Bullock
    Ryan Bullock
    2012-09-14

    Fail parsing if multipart is missing delimiters and avoid segfault

     
    Attachments
  • Ryan Bullock
    Ryan Bullock
    2012-09-14

    • milestone: --> 1.8.x
    • priority: 5 --> 9
    • summary: Segfault in sdp handling --> Segfault in multipart parsing when delimiters are missing
     
  • Ryan Bullock
    Ryan Bullock
    2012-09-14

    Turns out this crash occurs when a multipart mime type is sent but no delimiters are present in the body. In this scenario NULL is returned as the position of the starting delimiter which is later used to determine an incorrect pointer address. Since delimiters are required by RFC I have attached a patch that simply fails to parse the body if the delimiters are missing, and avoids the segfault.

    I have raised the priority on this, since it could be exploited to remotely crash OpenSIPs.

     
  • Hi Ryan,

    Thanks for the patch - I applied it on svn trunk and 1.8.

    Best regards,
    Bogdan

     
    • assigned_to: nobody --> bogdan_iancu
    • status: open --> closed-fixed