#556 Segfault in multipart parsing when delimiters are missing

1.8.x
closed-fixed
core (110)
9
2012-09-17
2012-09-10
No

Looks like there may be a segfault in sdp parsing. I have attached a backtrace from a segfault that we recently saw. This happens very infrequently, so I think it may be related to only certain inputs.

Opensips information:
version: opensips 1.8.1-notls (x86_64/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
svnrevision: 2:9221M
@(#) $Id: main.c 8772 2012-03-08 11:16:13Z bogdan_iancu $
main.c compiled on 19:56:43 Aug 17 2012 with gcc 4.4.6

Discussion

  • Ryan Bullock

    Ryan Bullock - 2012-09-10

    full back trace

     
    Attachments
  • Ryan Bullock

    Ryan Bullock - 2012-09-14

    Fail parsing if multipart is missing delimiters and avoid segfault

     
    Attachments
  • Ryan Bullock

    Ryan Bullock - 2012-09-14
    • milestone: --> 1.8.x
    • priority: 5 --> 9
    • summary: Segfault in sdp handling --> Segfault in multipart parsing when delimiters are missing
     
  • Ryan Bullock

    Ryan Bullock - 2012-09-14

    Turns out this crash occurs when a multipart mime type is sent but no delimiters are present in the body. In this scenario NULL is returned as the position of the starting delimiter which is later used to determine an incorrect pointer address. Since delimiters are required by RFC I have attached a patch that simply fails to parse the body if the delimiters are missing, and avoids the segfault.

    I have raised the priority on this, since it could be exploited to remotely crash OpenSIPs.

     
  • Bogdan-Andrei Iancu

    Hi Ryan,

    Thanks for the patch - I applied it on svn trunk and 1.8.

    Best regards,
    Bogdan

     
  • Bogdan-Andrei Iancu

    • assigned_to: nobody --> bogdan_iancu
    • status: open --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks