Headline
CVE-2023-28097: Vulnerability in the Content-Length Parser
OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.9 and 3.2.6, a malformed SIP message containing a large Content-Length value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the -m
flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred when shared memory was set to 2362
or higher. This issue is fixed in versions 3.1.9 and 3.2.6. The only workaround is to guarantee that the Content-Length value of input messages is never larger than 2147483647
.
Package
opensips (OpenSIPS Core)
Affected versions
<= 3.2.5, <= 3.1.8
Patched versions
3.1.9, 3.2.6
Impact
A malformed SIP message containing a large Content-Length value and a specially crafted Request-URI
causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using
the -m flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred
when shared memory was set to 2362 or higher.
Issue Description
The problem occurred in the following code block:
while (p<end && *p>='0' && *p<='9') {
number = number*10 + (*p)-'0';
if (number<0) {
LM_ERR("number overflow at pos %d in len number [%.*s]\n",
(int)(p-buffer),(int)(end-buffer), buffer);
return 0;
}
size ++;
p++;
}
This code block incorrectly assumes that an integer overflow of the variable number is detected by
checking if the value is less than zero. However, it was observed that this check returned false when
compiled with optimizations, even though the value overflowed to a negative number.
Workarounds
The only workaround is to guarantee that the Content-Length value of input messages is never larger than 2147483647.
Solutions and Recommendations
This issue was fixed in commit 7cab422, which was tested and found to address the issue. For more info, refer to the Audit Document section 3.1.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the OpenSIPS GitHub
- Email us at [email protected]