[asterisk-bugs] [JIRA] (ASTERISK-20837) [patch] build_route fails to parse Record-Route headers longer than 255 characters

Corey Farrell (JIRA) noreply at issues.asterisk.org
Tue Dec 25 15:05:45 CST 2012 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-20837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Corey Farrell updated ASTERISK-20837:
-------------------------------------

    Attachment: chan_sip-build_route-optimized-rev1.patch

chan_sip-build_route-optimized-rev1.patch fixes the issue by not copying the header to any temporary buffers.  Tested briefly on 1.8.19.0.

This code will correctly handle valid headers:
Record-Route: <sip:id1 at 10.10.10.10;lr>
Record-Route: <sip:id1 at 10.10.10.10;lr>, <sip:id1 at 10.10.10.20;lr>


Reasonable results are obtained from malformed headers:
Record-Route: <sip:id1,id2 at 10.10.10.10;lr>
* The comma is accepted as part of the value in brackets.

Record-Route: <sip:id1 at 10., <sip:id2 at 10.10.10.10;lr>
* The comma before 'sip:id1 at 10.10.10.10;lr' is treated as a separator between two values.  get_in_brackets_const first returns everything between the first open bracket and the close bracket.  But a comma is found inside with a 2nd open bracket after the comma.  This causes the part before the comma to be ignored as invalid.

I might be wrong, but it seems Record-Route doesn't allow quoted strings before hops?  Example:
Record-Route: "quoted text" <sip:dlg1 at 10.10.10.10;lr>

If this is not allowed the parser can be simplified further by removing processing of quoted strings.
                
> [patch] build_route fails to parse Record-Route headers longer than 255 characters
> ----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20837
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20837
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Interoperability
>    Affects Versions: 1.8.19.0
>            Reporter: Corey Farrell
>            Severity: Critical
>         Attachments: asterisk-large-rr-header.patch, chan_sip-build_route-optimized-rev1.patch
>
>
> build_route copies each Record-Route header to char rr_copy\[256\].  When the header is longer than this it cuts parts off.  This causes the header to be parsed wrong and the call fails to connect.
> This issue was found when connecting with the SIP core of a large organization.  The SIP core provides a single Record-Route header with comma separated values.  My patch malloc's rr_copy to the exact length required for each header, freeing after each is processed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list