Headline
CVE-2020-27507: tm: do not add duplicate headers in local requests · kamailio/kamailio@ada3701
The Kamailio SIP before 5.5.0 server mishandles INVITE requests with duplicated fields and overlength tag, leading to a buffer overflow that crashes the server or possibly have unspecified other impact.
@@ -268,6 +268,7 @@ char *build_local_reparse(tm_cell_t *Trans,unsigned int branch, struct hdr_field *reas1, *reas_last, *hdr; int hadded = 0; sr_cfgenv_t *cenv = NULL; hdr_flags_t hdr_flags = 0;
invite_buf = Trans->uac[branch].request.buffer; invite_len = Trans->uac[branch].request.buffer_len; @@ -361,6 +362,11 @@ char *build_local_reparse(tm_cell_t *Trans,unsigned int branch, switch(hf_type) { case HDR_CSEQ_T: /* find the method name and replace it */ if(hdr_flags & HDR_CSEQ_F) { LM_DBG(“duplicate CSeq header\n”); goto errorhdr; } hdr_flags |= HDR_CSEQ_F; while ((s < invite_buf_end) && ((*s == ‘:’) || (*s == ' ') || (*s == ‘\t’) || ((*s >= ‘0’) && (*s <= ‘9’))) @@ -381,6 +387,12 @@ char *build_local_reparse(tm_cell_t *Trans,unsigned int branch, break;
case HDR_TO_T: if(hdr_flags & HDR_TO_F) { LM_DBG(“duplicate To header\n”); goto errorhdr; } hdr_flags |= HDR_TO_F;
if (to_len == 0) { /* there is no To tag required, just copy paste * the header */ @@ -395,7 +407,25 @@ char *build_local_reparse(tm_cell_t *Trans,unsigned int branch, break;
case HDR_FROM_T: /* copy hf */ if(hdr_flags & HDR_FROM_F) { LM_DBG(“duplicate From header\n”); goto errorhdr; } hdr_flags |= HDR_FROM_F; s = lw_next_line(s, invite_buf_end); append_str(d, s1, s - s1); break; case HDR_CALLID_T: /* copy hf */ if(hdr_flags & HDR_CALLID_F) { LM_DBG(“duplicate Call-Id header\n”); goto errorhdr; } hdr_flags |= HDR_CALLID_F; s = lw_next_line(s, invite_buf_end); append_str(d, s1, s - s1); break; case HDR_ROUTE_T: case HDR_MAXFORWARDS_T: /* copy hf */ @@ -495,6 +525,7 @@ char *build_local_reparse(tm_cell_t *Trans,unsigned int branch, /* HDR_EOH_T was not found in the buffer, the message is corrupt */ LM_ERR(“HDR_EOH_T was not found\n”);
errorhdr: shm_free(cancel_buf); error: LM_ERR("cannot build %.*s request\n", method_len, method);
Related news
Ubuntu Security Notice 6022-1 - It was discovered that Kamailio did not properly sanitize SIP messages under certain circumstances. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 ESM and 18.04 ESM. It was discovered that Kamailio did not properly validate INVITE requests under certain circumstances. An attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code.