OpenSIPS Crash

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSIPS Crash

Ben Newlin

Hi,

 

While running a new test scenario I encountered an OpenSIPS crash.

 

version: opensips 2.3.3 (x86_64/linux)

flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT

ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

git revision: a0bed9d

main.c compiled on 21:08:28 May 16 2018 with gcc 4.8.5

 

Logs: https://pastebin.com/3vL3rbG4

BT: https://pastebin.com/tTp32ASC

 

Let me know if anything else is needed.

 

Thanks,

Ben Newlin

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS Crash

Liviu Chircu

Hi Ben,

Excellent report! I managed to reproduce the crash on first try:

Core was generated by `./opensips -m64 -M16 -f cfg/opensips-2.4-sipp-siptrace.cfg -w .'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20, info=0x7f799468d5e0) at siptrace.c:1646
1646        db_vals[1].val.str_val.s = msg->callid->body.s;
(gdb) bt
#0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20, info=0x7f799468d5e0) at siptrace.c:1646
#1  0x00007f7987cd7c8d in sip_trace_w (msg=0x7f799817fd20, param1=0x7f7998169110 "\001", param2=0x2 <error: Cannot access memory at address 0x2>, param3=0x7f79981691f8 "\001", param4=0x0) at siptrace.c:1590
#2  0x0000000000445082 in do_action (a=0x7f79981589a0, msg=0x7f799817fd20) at action.c:1864
#3  0x000000000043ccf7 in run_action_list (a=0x7f79981589a0, msg=0x7f799817fd20) at action.c:172

Quick question for you: you are sending a malformed INVITE, correct? Here is how mine looked like:

INVITE <a class="moz-txt-link-freetext" href="sip:sipp@127.0.0.1:5060">sip:sipp@127.0.0.1:5060 SIP/2.0.
Via: SIP/2.0/UDP 127.0.0.1:7000;branch=z9hG4bK-1988-1-0.
From: sipp <a class="moz-txt-link-rfc2396E" href="sip:sipp@127.0.0.1:7000"><sip:sipp@127.0.0.1:7000>;tag=123456789.
To: sut <a class="moz-txt-link-rfc2396E" href="sip:sipp@127.0.0.1:5060"><sip:sipp@127.0.0.1:5060>.
CSeq: 1 INVITE.
Contact: <a class="moz-txt-link-rfc2396E" href="sip:sipp@127.0.0.1:7000"><sip:sipp@127.0.0.1:7000>   Call-ID: [hidden email].
Max-Forwards: 70.
Subject: Performance Test.
Content-Type: application/sdp.
Content-Length:   129.
.
v=0.
o=user1 53655765 2353687637 IN IP4 127.0.0.1.
s=-.
c=IN IP4 127.0.0.1.
t=0 0.
m=audio 6001 RTP/AVP 0.
a=rtpmap:0 PCMU/8000.

Notice how OpenSIPS will be unable to parse the Call-ID header field, hence the immediate crash in sip_trace(), as it's unable to handle a NULL Call-ID.

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com
On 07.06.2018 22:24, Ben Newlin wrote:

Hi,

 

While running a new test scenario I encountered an OpenSIPS crash.

 

version: opensips 2.3.3 (x86_64/linux)

flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT

ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

git revision: a0bed9d

main.c compiled on 21:08:28 May 16 2018 with gcc 4.8.5

 

Logs: https://pastebin.com/3vL3rbG4

BT: https://pastebin.com/tTp32ASC

 

Let me know if anything else is needed.

 

Thanks,

Ben Newlin

 



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS Crash

Ben Newlin

Liviu,

 

I am very impressed! I was indeed sending a malformed invite just like the one you posted, specifically with the missing line termination before the Call-ID.

 

Thanks,

Ben Newlin

 

 

From: Users <[hidden email]> on behalf of Liviu Chircu <[hidden email]>
Reply-To: OpenSIPS users mailling list <[hidden email]>
Date: Friday, June 8, 2018 at 5:17 AM
To: "[hidden email]" <[hidden email]>
Subject: Re: [OpenSIPS-Users] OpenSIPS Crash

 

Hi Ben,

Excellent report! I managed to reproduce the crash on first try:

Core was generated by `./opensips -m64 -M16 -f cfg/opensips-2.4-sipp-siptrace.cfg -w .'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20, info=0x7f799468d5e0) at siptrace.c:1646
1646        db_vals[1].val.str_val.s = msg->callid->body.s;
(gdb) bt
#0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20, info=0x7f799468d5e0) at siptrace.c:1646
#1  0x00007f7987cd7c8d in sip_trace_w (msg=0x7f799817fd20, param1=0x7f7998169110 "\001", param2=0x2 <error: Cannot access memory at address 0x2>, param3=0x7f79981691f8 "\001", param4=0x0) at siptrace.c:1590
#2  0x0000000000445082 in do_action (a=0x7f79981589a0, msg=0x7f799817fd20) at action.c:1864
#3  0x000000000043ccf7 in run_action_list (a=0x7f79981589a0, msg=0x7f799817fd20) at action.c:172

Quick question for you: you are sending a malformed INVITE, correct? Here is how mine looked like:

INVITE <a href="sip:sipp@127.0.0.1:5060">sip:sipp@127.0.0.1:5060 SIP/2.0.
Via: SIP/2.0/UDP 127.0.0.1:7000;branch=z9hG4bK-1988-1-0.
From: sipp <a href="sip:sipp@127.0.0.1:7000"><sip:sipp@127.0.0.1:7000>;tag=123456789.
To: sut <a href="sip:sipp@127.0.0.1:5060"><sip:sipp@127.0.0.1:5060>.
CSeq: 1 INVITE.
Contact: <a href="sip:sipp@127.0.0.1:7000"><sip:sipp@127.0.0.1:7000>   Call-ID: [hidden email].
Max-Forwards: 70.
Subject: Performance Test.
Content-Type: application/sdp.
Content-Length:   129.
.
v=0.
o=user1 53655765 2353687637 IN IP4 127.0.0.1.
s=-.
c=IN IP4 127.0.0.1.
t=0 0.
m=audio 6001 RTP/AVP 0.
a=rtpmap:0 PCMU/8000.

Notice how OpenSIPS will be unable to parse the Call-ID header field, hence the immediate crash in sip_trace(), as it's unable to handle a NULL Call-ID.

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 07.06.2018 22:24, Ben Newlin wrote:

Hi,

 

While running a new test scenario I encountered an OpenSIPS crash.

 

version: opensips 2.3.3 (x86_64/linux)

flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC, FAST_LOCK-ADAPTIVE_WAIT

ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

git revision: a0bed9d

main.c compiled on 21:08:28 May 16 2018 with gcc 4.8.5

 

Logs: https://pastebin.com/3vL3rbG4

BT: https://pastebin.com/tTp32ASC

 

Let me know if anything else is needed.

 

Thanks,

Ben Newlin

 




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS Crash

Schneur Rosenberg
A malformed sip packet should not crash OpenSIPS it should just give
an error and move on

On Fri, Jun 8, 2018 at 3:00 PM, Ben Newlin <[hidden email]> wrote:

> Liviu,
>
>
>
> I am very impressed! I was indeed sending a malformed invite just like the
> one you posted, specifically with the missing line termination before the
> Call-ID.
>
>
>
> Thanks,
>
> Ben Newlin
>
>
>
>
>
> From: Users <[hidden email]> on behalf of Liviu Chircu
> <[hidden email]>
> Reply-To: OpenSIPS users mailling list <[hidden email]>
> Date: Friday, June 8, 2018 at 5:17 AM
> To: "[hidden email]" <[hidden email]>
> Subject: Re: [OpenSIPS-Users] OpenSIPS Crash
>
>
>
> Hi Ben,
>
> Excellent report! I managed to reproduce the crash on first try:
>
> Core was generated by `./opensips -m64 -M16 -f
> cfg/opensips-2.4-sipp-siptrace.cfg -w .'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20,
> info=0x7f799468d5e0) at siptrace.c:1646
> 1646        db_vals[1].val.str_val.s = msg->callid->body.s;
> (gdb) bt
> #0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20,
> info=0x7f799468d5e0) at siptrace.c:1646
> #1  0x00007f7987cd7c8d in sip_trace_w (msg=0x7f799817fd20,
> param1=0x7f7998169110 "\001", param2=0x2 <error: Cannot access memory at
> address 0x2>, param3=0x7f79981691f8 "\001", param4=0x0) at siptrace.c:1590
> #2  0x0000000000445082 in do_action (a=0x7f79981589a0, msg=0x7f799817fd20)
> at action.c:1864
> #3  0x000000000043ccf7 in run_action_list (a=0x7f79981589a0,
> msg=0x7f799817fd20) at action.c:172
>
> Quick question for you: you are sending a malformed INVITE, correct? Here is
> how mine looked like:
>
> INVITE sip:sipp@127.0.0.1:5060 SIP/2.0.
> Via: SIP/2.0/UDP 127.0.0.1:7000;branch=z9hG4bK-1988-1-0.
> From: sipp <sip:sipp@127.0.0.1:7000>;tag=123456789.
> To: sut <sip:sipp@127.0.0.1:5060>.
> CSeq: 1 INVITE.
> Contact: <sip:sipp@127.0.0.1:7000>   Call-ID: 1-1988@127.0.0.1.
> Max-Forwards: 70.
> Subject: Performance Test.
> Content-Type: application/sdp.
> Content-Length:   129.
> .
> v=0.
> o=user1 53655765 2353687637 IN IP4 127.0.0.1.
> s=-.
> c=IN IP4 127.0.0.1.
> t=0 0.
> m=audio 6001 RTP/AVP 0.
> a=rtpmap:0 PCMU/8000.
>
> Notice how OpenSIPS will be unable to parse the Call-ID header field, hence
> the immediate crash in sip_trace(), as it's unable to handle a NULL Call-ID.
>
> Best regards,
>
> Liviu Chircu
>
> OpenSIPS Developer
>
> http://www.opensips-solutions.com
>
> On 07.06.2018 22:24, Ben Newlin wrote:
>
> Hi,
>
>
>
> While running a new test scenario I encountered an OpenSIPS crash.
>
>
>
> version: opensips 2.3.3 (x86_64/linux)
>
> flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC,
> FAST_LOCK-ADAPTIVE_WAIT
>
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
> MAX_URI_SIZE 1024, BUF_SIZE 65535
>
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>
> git revision: a0bed9d
>
> main.c compiled on 21:08:28 May 16 2018 with gcc 4.8.5
>
>
>
> Logs: https://pastebin.com/3vL3rbG4
>
> BT: https://pastebin.com/tTp32ASC
>
>
>
> Let me know if anything else is needed.
>
>
>
> Thanks,
>
> Ben Newlin
>
>
>
>
>
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS Crash

Liviu Chircu
That we already know, dear sir! But before simply fixing this issue and
moving on, my question is: How many more OpenSIPS functions (sip_trace()
included) are still subject to such a basic vulnerability?

(probably this will turn into a GitHub ticket that will be assigned to
me. Oh well, at least it's for the better good of the community)

Cheers,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 08.06.2018 18:58, Schneur Rosenberg wrote:

> A malformed sip packet should not crash OpenSIPS it should just give
> an error and move on
>
> On Fri, Jun 8, 2018 at 3:00 PM, Ben Newlin <[hidden email]> wrote:
>> Liviu,
>>
>>
>>
>> I am very impressed! I was indeed sending a malformed invite just like the
>> one you posted, specifically with the missing line termination before the
>> Call-ID.
>>
>>
>>
>> Thanks,
>>
>> Ben Newlin
>>
>>
>>
>>
>>
>> From: Users <[hidden email]> on behalf of Liviu Chircu
>> <[hidden email]>
>> Reply-To: OpenSIPS users mailling list <[hidden email]>
>> Date: Friday, June 8, 2018 at 5:17 AM
>> To: "[hidden email]" <[hidden email]>
>> Subject: Re: [OpenSIPS-Users] OpenSIPS Crash
>>
>>
>>
>> Hi Ben,
>>
>> Excellent report! I managed to reproduce the crash on first try:
>>
>> Core was generated by `./opensips -m64 -M16 -f
>> cfg/opensips-2.4-sipp-siptrace.cfg -w .'.
>> Program terminated with signal SIGSEGV, Segmentation fault.
>> #0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20,
>> info=0x7f799468d5e0) at siptrace.c:1646
>> 1646        db_vals[1].val.str_val.s = msg->callid->body.s;
>> (gdb) bt
>> #0  0x00007f7987cd7f2a in sip_trace (msg=0x7f799817fd20,
>> info=0x7f799468d5e0) at siptrace.c:1646
>> #1  0x00007f7987cd7c8d in sip_trace_w (msg=0x7f799817fd20,
>> param1=0x7f7998169110 "\001", param2=0x2 <error: Cannot access memory at
>> address 0x2>, param3=0x7f79981691f8 "\001", param4=0x0) at siptrace.c:1590
>> #2  0x0000000000445082 in do_action (a=0x7f79981589a0, msg=0x7f799817fd20)
>> at action.c:1864
>> #3  0x000000000043ccf7 in run_action_list (a=0x7f79981589a0,
>> msg=0x7f799817fd20) at action.c:172
>>
>> Quick question for you: you are sending a malformed INVITE, correct? Here is
>> how mine looked like:
>>
>> INVITE sip:sipp@127.0.0.1:5060 SIP/2.0.
>> Via: SIP/2.0/UDP 127.0.0.1:7000;branch=z9hG4bK-1988-1-0.
>> From: sipp <sip:sipp@127.0.0.1:7000>;tag=123456789.
>> To: sut <sip:sipp@127.0.0.1:5060>.
>> CSeq: 1 INVITE.
>> Contact: <sip:sipp@127.0.0.1:7000>   Call-ID: 1-1988@127.0.0.1.
>> Max-Forwards: 70.
>> Subject: Performance Test.
>> Content-Type: application/sdp.
>> Content-Length:   129.
>> .
>> v=0.
>> o=user1 53655765 2353687637 IN IP4 127.0.0.1.
>> s=-.
>> c=IN IP4 127.0.0.1.
>> t=0 0.
>> m=audio 6001 RTP/AVP 0.
>> a=rtpmap:0 PCMU/8000.
>>
>> Notice how OpenSIPS will be unable to parse the Call-ID header field, hence
>> the immediate crash in sip_trace(), as it's unable to handle a NULL Call-ID.
>>
>> Best regards,
>>
>> Liviu Chircu
>>
>> OpenSIPS Developer
>>
>> http://www.opensips-solutions.com
>>
>> On 07.06.2018 22:24, Ben Newlin wrote:
>>
>> Hi,
>>
>>
>>
>> While running a new test scenario I encountered an OpenSIPS crash.
>>
>>
>>
>> version: opensips 2.3.3 (x86_64/linux)
>>
>> flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, F_MALLOC,
>> FAST_LOCK-ADAPTIVE_WAIT
>>
>> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
>> MAX_URI_SIZE 1024, BUF_SIZE 65535
>>
>> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>>
>> git revision: a0bed9d
>>
>> main.c compiled on 21:08:28 May 16 2018 with gcc 4.8.5
>>
>>
>>
>> Logs: https://pastebin.com/3vL3rbG4
>>
>> BT: https://pastebin.com/tTp32ASC
>>
>>
>>
>> Let me know if anything else is needed.
>>
>>
>>
>> Thanks,
>>
>> Ben Newlin
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> Users mailing list
>>
>> [hidden email]
>>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users