CVE-2023-28097: Vulnerability in the Content-Length Parser

Package

opensips (OpenSIPS Core)

Affected versions

<= 3.2.5, <= 3.1.8

Patched versions

3.1.9, 3.2.6

Impact

A malformed SIP message containing a large Content-Length value and a specially crafted Request-URI
causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using
the -m flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred
when shared memory was set to 2362 or higher.

Issue Description

The problem occurred in the following code block:

while (p<end && *p>='0' && *p<='9') {
    number = number*10 + (*p)-'0';
    if (number<0) {
        LM_ERR("number overflow at pos %d in len number [%.*s]\n",
            (int)(p-buffer),(int)(end-buffer), buffer);
        return 0;
    }
    size ++;
    p++;
}

This code block incorrectly assumes that an integer overflow of the variable number is detected by
checking if the value is less than zero. However, it was observed that this check returned false when
compiled with optimizations, even though the value overflowed to a negative number.

Workarounds

The only workaround is to guarantee that the Content-Length value of input messages is never larger than 2147483647.

Solutions and Recommendations

This issue was fixed in commit 7cab422, which was tested and found to address the issue. For more info, refer to the Audit Document section 3.1.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the OpenSIPS GitHub
• Email us at [email protected]