[sr-dev] [tracker] Task opened: Crash in msrp module

sip-router bugtracker at sip-router.org
Wed Apr 16 17:03:24 CEST 2014 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Luis Martin (lmartin) 

Attached to Project - sip-router
Summary - Crash in msrp module
Task Type - Bug Report
Category - Module
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Normal
Reported Version - Development
Due in Version - Undecided
Due Date - Undecided
Details - When a non-rfc compliant MSRP message is received Kamailio crashes. 

MSRP message used to trigger (notice From-Path before To-Path):
    MSRP 253291932 SEND
    From-Path: msrp://64.58.53.27:5823/9000001399;tcp
    To-Path: msrp://66.170.58.133:9000/0;tcp msrp://dz3prq5k.invalid:9000/a520utdsm7;ws
    Message-ID: T00000577C253291932
    Byte-Range: 1-14/14
    Content-Type: text/plain
    
    Test
    -------253291932$

This makes the Kamailio msrp parser to properly allow this even though it's not fully rfc4975 compliant: (check MSRP RFC grammar)
    headers = To-Path CRLF From-Path CRLF 1*( header CRLF )
    To-Path = "To-Path:" SP MSRP-URI *( SP MSRP-URI )
    From-Path = "From-Path:" SP MSRP-URI *( SP MSRP-URI )
    (...)


And makes the 'msrp_netio' to crash. (https://github.com/kamailio/kamailio/blob/master/modules/msrp/msrp_netio.c#L107)
        memcpy(p, mf->buf.s, tpath->body.s - mf->buf.s);
        p += tpath->body.s - mf->buf.s;
        memcpy(p, l + 1, fpath->body.s - l - 1);
        p += fpath->body.s - l - 1;
        memcpy(p, tpath->body.s, l + 1 - tpath->body.s);
        p += l + 1 - tpath->body.s;
        memcpy(p, fpath->name.s + 11, mf->buf.s + mf->buf.len - fpath->name.s - 11);
        p += mf->buf.s + mf->buf.len - fpath->name.s - 11;


Solution adopted is to make more the parser more robust, check luismartingil/msrp_crash branch in git Kamailio repo.

Thanks,
Luis Martin Gil

More information can be found at the following URL:
http://sip-router.org/tracker/index.php?do=details&task_id=419

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the sr-dev mailing list