Hi Steffen, * Steffen Joeris <[EMAIL PROTECTED]> [2008-05-02 14:46]: > Package: sip-tester > Severity: important > Tags: Security > > Hi > > The following CVE(0) has been issued against sip-tester. > > Please check, if it applies to the debian version. > > CVE-2008-1959: > Stack-based buffer overflow in the get_remote_video_port_media function > in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of > service and possibly execute arbitrary code via a crafted SIP message. > NOTE: some of these details are obtained from third party information.
BTW: the same issue affects get_remote_ip_media() and
get_remote_ipv6_media(), both unfixed in latest upstream
release (3.1) and the version in Debian:
122 uint32_t get_remote_ip_media(char *msg)
123 {
124 char pattern[] = "c=IN IP4 ";
125 char *begin, *end;
126 char ip[32];
127 begin = strstr(msg, pattern);
128 if (!begin) {
129 /* Can't find what we're looking at -> return no address */
130 return INADDR_NONE;
131 }
132 begin += sizeof("c=IN IP4 ") - 1;
133 end = strstr(begin, "\r\n");
134 if (!end)
135 return INADDR_NONE;
136 memset(ip, 0, 32);
137 strncpy(ip, begin, end - begin);
138 return inet_addr(ip);
139 }
145 uint8_t get_remote_ipv6_media(char *msg, struct in6_addr addr)
146 {
147 char pattern[] = "c=IN IP6 ";
148 char *begin, *end;
149 char ip[128];
150
151 memset(&addr, 0, sizeof(addr));
152 memset(ip, 0, 128);
153
154 begin = strstr(msg, pattern);
155 if (!begin) {
156 /* Can't find what we're looking at -> return no address */
157 return 0;
158 }
159 begin += sizeof("c=IN IP6 ") - 1;
160 end = strstr(begin, "\r\n");
161 if (!end)
162 return 0;
163 strncpy(ip, begin, end - begin);
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpJySwuqfSZ6.pgp
Description: PGP signature
