When the function append_hf handles a SIP message with a malformed To header, a call to the function abort() is performed resulting in a crash. This is due to the following check in data_lump.c:399 in the function anchor_lump.
The payload that crashes the server is:
OPTIONS sip:127.0.0.1 SIP/2.0<CRLF>
Via: SIP/2.0/UDP 192.168.1.223:59589;rport;branch=z9hG4bK-dnOo7rULZLiOjRDh<CRLF>
To: a;a="T\
Impact
An attacker abusing this vulnerability will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function append_hf.
Patches
This issue has been fixed by commit cb56694.
References
Read more about this issue in the Audit Document section 3.8.
For more information
If you have any questions or comments about this advisory:
sandrogauci Analyst
alfredfarrugia Analyst
When the function
append_hfhandles a SIP message with a malformed To header, a call to the functionabort()is performed resulting in a crash. This is due to the following check indata_lump.c:399in the functionanchor_lump.The payload that crashes the server is:
Impact
An attacker abusing this vulnerability will crash OpenSIPS leading to Denial of Service. It affects configurations containing functions that make use of the affected code, such as the function
append_hf.Patches
This issue has been fixed by commit cb56694.
References
Read more about this issue in the Audit Document section 3.8.
For more information
If you have any questions or comments about this advisory: