Re: [osip-dev] SUBSCRIBE forking

From:

Aymeric Moizard

Subject:

Date:

Thu, 13 Apr 2017 12:35:53 +0200

Hi Christoph,

I have partly discovered the issue (where NOTIFY with

different tag are accepted even if dialog is established)

Reading quickly the code, it seems the leak occurs on line 1133

of udp.c file? The dialog is replaced but not release?

(--line is calling _eXosip_dialog_init_as_uac--)

Do you confirm this is the leak?

Regards

Aymeric

2017-04-13 12:26 GMT+02:00 FEICHTER Christoph <address@hidden>:

hi aymeric,

we recently found out about a vulnerability of SIP regarding forking of SUBSCRIBE requests – which

also applies to eXosip.

The scenario is the following:

-          UAC subscribes an event

-          the UAS (subscribee) accepts and sends NOTIFY requests

-          the UAS generates for each NOTIFY request a new From-tag.

This makes it look for the subscriber as if the SUBSCRIBE request has been forked,

and multiple subscribes do send NOTIFYs !

In eXosip it seems to no make a difference, whether these NOTIFY requests are answered

by 200 Ok or a 456xx response. eXosip does create dialogs for each NOTIFY ..

.. and the memory consumption increases until we are out of memory.

What do you think about this vulnerability ?

Should we specify a max. number of forks for SUBSCRIBE ?

Regards and happy easter,

Christoph

_______________________________________________
osip-dev mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/osip-dev

Antisip - http://www.antisip.com

[osip-dev] SUBSCRIBE forking, FEICHTER Christoph, 2017/04/13

Re: [osip-dev] SUBSCRIBE forking, Aymeric Moizard <=
- Re: [osip-dev] SUBSCRIBE forking, FEICHTER Christoph, 2017/04/13
  - Re: [osip-dev] SUBSCRIBE forking, Aymeric Moizard, 2017/04/14
  - Re: [osip-dev] SUBSCRIBE forking, FEICHTER Christoph, 2017/04/18
  - [osip-dev] osip2 + LGPL + MCU, Maxim, 2017/04/28