(:toc-float Table of Content:)
SVN commit: http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=7859
Version : 1.6.4 only
Affected modules : ACC
Effect : OpenSIPS Crashes
Affected scenarios: When using ACC module, with Dialog-based accounting (cdr_flag), in combination with data to be accounted larger than 128 chars. Typical scenario for this would be when in your OpenSIPS script you would like to also store the Contact fields for the Caller or Callee, and either of them supported GRUU. Since the GRUU extension increases quite a lot the size of the actual Contact URI, it is very likely that the Contact would be larger than 128 bytes, and the bug would manifest itself with an OpenSIPS crash.
Description : The bug is a result of an integer overflow. When a field that needed to be stored in the accounting table ( be it one of the default fields, or an extra accounting one, or a per leg accounting field ) had a length greater than 128 bytes, OpenSIPS would overflow the size to a negative length for that field, thus subsequent operations for that field would result in a crash.
Risks : Since the bug affects a very simple and common scenario ( accounting ) and the bug can be exploited by outside attackers ( by sending SIP packets with various very long fields), updating your sources is critical.
Update : If you have an SVN checkout , update from branch 1.6 for a revision later than 7859 ; If you have OpenSIPS from sources, download and apply the patch from SVN or see the attached patch.
SVN commit: http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=8628
Version : 1.7 and below
Affected modules : CORE
Effect : Memory Corruption and eventually OpenSIPS Crash
Affected scenarios: The bug is at a very low level and can affect a variety of scenarios involving changes over the message body - ranging from simply using the RTPProxy/MediaProxy or the Nathelper modules for NAT traversal, to simply modifying the message body from the OpenSIPS script, for various purposes ( codec stripping, etc ). This bug appears only when using UDP and when you handle a SIP message that advertises an Content-Lenght longer than the actual payload
Description : The bug relies in the fact that when getting the body of the SIP message, OpenSIPS relies entirely on the Content-Length header to get the body size. If the value in the Content-Length header is larger than the actual body of the SIP message, OpenSIPS will end up accesing invalid memory, and it can end up either in crashing or corrupting the memory. If the value is lower than the actual received body, then the end-result can be further malforming the SIP packet, since OpenSIPS will use wrong offsets when altering the SIP body.
When receiving SIP messages on UDP, OpenSIPS can accurately determine the actual size of the SIP body, because it knows the size of the received Datagram from the UDP net, and this is what the fix is based on.
Risks : Since the bug can be exploited by outside attackers ( by sending SIP packets with incorrect Content-Length headers ), updating your sources is critical.
Update : If you have an SVN checkout , update to a revision later than 8628 ; If you have OpenSIPS from sources, download and apply the patch from SVN or see the attached patch.
SVN commit: http://opensips.svn.sourceforge.net/viewvc/opensips?view=revision&revision=9081
Version : 1.8
Affected modules : DROUTING
Effect : Failure to route to GWs
Affected Scenarios : The bug appears when using do_routing() function (that is supposed to return more than one gateway as possible destination for the given number) after you did changes over the RURI (either via other modules, either via script function - strip(), prefix() etc ).
Description : If the do_routing() call would result in multiple possible destinations for the matched prefix, the first Request URI would be ok, but the Request URIs for the next branches would become malformed. This is because OpenSIPS would internally use the wrong buffer for building the new Request URIs for the next branches.
Risks : The bug cannot be exploited by outside attackers, but since it's effect is the output of malformed SIP messages, it can affect the upstream routing, and thus updating is very important.
Update : If you have an SVN checkout , update to a revision later than 9081 ; If you have OpenSIPS from sources, download and apply the patch from SVN or see the attached patch.