[OpenSIPS-Devel] [ opensips-Bugs-3566409 ] Segfault in multipart parsing when delimiters are missing

SourceForge.net noreply at sourceforge.net
Mon Sep 17 09:41:19 CEST 2012 

Bugs item #3566409, was opened at 2012-09-10 12:47
Message generated for change (Settings changed) made by bogdan_iancu
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3566409&group_id=232389

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: 1.8.x
>Status: Closed
>Resolution: Fixed
Priority: 9
Private: No
Submitted By: Ryan Bullock (rrb3942)
>Assigned to: Bogdan-Andrei Iancu (bogdan_iancu)
Summary: Segfault in multipart parsing when delimiters are missing

Initial Comment:
Looks like there may be a segfault in sdp parsing. I have attached a backtrace from a segfault that we recently saw. This happens very infrequently, so I think it may be related to only certain inputs.

Opensips information:
version: opensips 1.8.1-notls (x86_64/linux)
flags: STATS: Off, USE_IPV6, USE_TCP, DISABLE_NAGLE, USE_MCAST, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
svnrevision: 2:9221M
@(#) $Id: main.c 8772 2012-03-08 11:16:13Z bogdan_iancu $
main.c compiled on 19:56:43 Aug 17 2012 with gcc 4.4.6

----------------------------------------------------------------------

>Comment By: Bogdan-Andrei Iancu (bogdan_iancu)
Date: 2012-09-17 00:41

Message:
Hi Ryan,

Thanks for the patch - I applied it on svn trunk and 1.8.

Best regards,
Bogdan

----------------------------------------------------------------------

Comment By: Ryan Bullock (rrb3942)
Date: 2012-09-14 09:03

Message:
Turns out this crash occurs when a multipart mime type is sent but no
delimiters are present in the body. In this scenario NULL is returned as
the position of the starting delimiter which is later used to determine an
incorrect pointer address. Since delimiters are required by RFC I have
attached a patch that simply fails to parse the body if the delimiters are
missing, and avoids the segfault.

I have raised the priority on this, since it could be exploited to remotely
crash OpenSIPs.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=1086410&aid=3566409&group_id=232389

More information about the Devel mailing list