linphone-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Linphone-developers] Segfault (possible DOS vulnerability) in SIP PDU p

From: Lucian Petrica
Subject: [Linphone-developers] Segfault (possible DOS vulnerability) in SIP PDU parsing (v2.5.2)
Date: Fri, 13 Jul 2012 10:25:39 +0000

Hi All,

I think I've found a bug in linphone release 2.5.2 running on ubuntu 10.10, related to parsing of malformed SIP PDUs. The problem occurs when the CRLF after SIP version string is missing or replaced with random characters. Here is how to reproduce the bug:

1) get the Sulley fuzzer from https://github.com/OpenRCE/sulley
2) drop the attached test script into Sulley's main folder
3) customize the test script for your test setup; i had sulley running on computer A (192.168.1.135) and linphone running on computer B (192.168.1.118); search and replace with your own IPs
3) start linphone on computer B (linphone -a --verbose)
4) run the test script on computer A (cd to sulley folder; python fuzz_sip.py)

Linphone will segfault and provide the following output. Notice the missing CRLF after the SIP version string in the PDU.

linphone-message : Received message:
INVITE sip:address@hidden SIP/2.0Via: SIP/2.0/UDP 192.168.1.135:5060;rport;branch=z9hG4bKfffff
Max-Forwards: 70
From: sip:address@hidden;tag=1234
To: sip:address@hidden
Call-ID: yquWX7eU5f
CSeq: 20 INVITE
Contact: <sip:address@hidden;transport=udp>
Content-Type: application/sdp
Content-Length: 169

v=0
o=uac 123456 654321 IN IP4 192.168.1.135
s=A conversation
c=IN IP4 192.168.1.135
t=0 0
m=audio 7078 RTP/AVP 112
a=rtpmap:112 speex/32000/1
a=fmtp:112 vbr=on

linphone-message : Message received from: 192.168.1.135:5060
linphone-message : Message received from: 192.168.1.135:5060
linphone-error : Wrong version number
linphone-message : MESSAGE REC. CALLID:yquWX7eU5f
linphone-message : Message received from: 192.168.1.135:5060
linphone-message : This is a request
linphone-message : allocating transaction ressource 1 yquWX7eU5f
Segmentation fault

I also attached to the linphone process with GDB which provided the following output:

[New Thread 0xb2c9bb70 (LWP 2097)]
[New Thread 0xb16d7b70 (LWP 2098)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb2c9bb70 (LWP 2097)]
0x01c6d27c in osip_list_get_first () from /usr/lib/libosipparser2.so.7
(gdb) bt
#0  0x01c6d27c in osip_list_get_first () from /usr/lib/libosipparser2.so.7
#1  0x027bb1d0 in __osip_remove_ict_transaction () from /usr/lib/libosip2.so.7
#2  0x027bb120 in osip_remove_transaction () from /usr/lib/libosip2.so.7
#3  0x027bd955 in osip_transaction_free () from /usr/lib/libosip2.so.7
#4  0x027bd55f in osip_transaction_init () from /usr/lib/libosip2.so.7
#5  0x01c8ea96 in _eXosip_transaction_init () from /usr/lib/libeXosip2.so.7
#6  0x01ca5c64 in ?? () from /usr/lib/libeXosip2.so.7
#7  0x01ca7823 in _eXosip_handle_incoming_message ()
   from /usr/lib/libeXosip2.so.7
#8  0x01cb3c54 in ?? () from /usr/lib/libeXosip2.so.7
#9  0x01ca7b35 in eXosip_read_message () from /usr/lib/libeXosip2.so.7
#10 0x01c94b00 in eXosip_execute () from /usr/lib/libeXosip2.so.7
#11 0x01c95b2a in ?? () from /usr/lib/libeXosip2.so.7
#12 0x009e7d31 in start_thread () from /lib/i386-linux-gnu/libpthread.so.0
#13 0x00acf46e in clone () from /lib/i386-linux-gnu/libc.so.6
Backtrace stopped: Not enough registers or memory available to unwind further


Thanks,
Lucian

Attachment: fuzz_sip.py
Description: fuzz_sip.py

reply via email to
[Prev in Thread] Current Thread [Next in Thread]