[CRASH] Systematic SIGSEGV in add_lump_rpl() - B2B Logic Buffer Overflow in OpenSIPS 3.4.13 #3708
Description
OpenSIPS version you are running
version: opensips 3.4.13 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: ddb81c092
main.c compiled on with gcc 11
Crash Core Dump
https://drive.google.com/file/d/1TWjNnrxDTK3C3c0oVmz2AVzSnUyYGPMZ/view?usp=sharing
Describe the traffic that generated the bug
OpenSIPS 3.4.13 seems to exhibit a systematic buffer overflow vulnerability in the B2B Logic module, causing several crashes a day with identical failure patterns. All crashes occur in add_lump_rpl() function during B2B reply processing, with memory corruption showing ASCII SIP header data overwriting critical pointer structures.
- IDENTICAL CRASH LOCATION: crashes occur at exact same line:
add_lump_rpl():80 - SYSTEMATIC MEMORY CORRUPTION: Pointer variables contain ASCII SIP header data
- CONSISTENT MODULE PATH: 10
0% involve B2B Logic → TM → add_lump_rpl()
4. SAME ASSEMBLY INSTRUCTION: All fail on mov 0x18(%rax),%rax (accessing foo->next)
To Reproduce
It happens randomly, 1/2 times a day, with a load of 800-1000 simultaneous B2B calls
Relevant System Logs
OS/environment information
- Operating System: Ubuntu 22.04
- OpenSIPS installation: apt packages
Additional context
Crash Timeline & Pattern
| Date/Time | PID | Function | SIP Code | Corrupted Variable | ASCII Content |
|---|---|---|---|---|---|
| 18/08 15:49 | 440647 | add_lump_rpl():80 |
500 | foo = 0x16 |
(22 decimal) |
| 18/08 15:59 | 1919731 | add_lump_rpl():80 |
180 | foo = 0x3932353965392e37 |
"7.9e9529" |
| 18/08 16:03 | 2106927 | build_res_buf():2531 |
180 | lump = 0xa0d300a |
(168636426) |
| 19/08 18:29 | 2169243 | add_lump_rpl():80 |
? | foo = 0x69736f707369442d |
"-Disposi" |
| 20/08 12:10 | 1625857 | add_lump_rpl():80 |
503 | foo = 0x353a39362e363431 |
"146.69:5" |
Root Cause: Buffer Overflow in B2B Logic Module
// Crash location in data_lump_rpl.c:80
// Assembly instruction: mov 0x18(%rax),%rax
// Accessing: foo->next where foo is corrupted with SIP header content
foo = 0x353a39362e363431 // Contains "146.69:5" (part of Contact header)
foo = 0x69736f707369442d // Contains "-Disposi" (Disposition header fragment)
foo = 0x3932353965392e37 // Contains "7.9e9529" (numeric SIP content)Evidence of Buffer Overflow:
- ASCII data in pointer addresses: Clear indication of string buffer overrun
- Consistent offset corruption: Always at structure field +24 bytes (
->next)
Stack Trace (Common Pattern):
#0 add_lump_rpl (data_lump_rpl.c:80) ← CRASH POINT (buffer overrun)
#1 _reply_with_body (tm/t_reply.c:1755) ← SIP response codes: 180/500/503
#2 t_reply_with_body (tm/t_reply.c:1885)
#3 _b2b_send_reply (b2b_entities/dlg.c:1966) ← B2B PROCESSING
#4 _b2b_handle_reply (b2b_logic/logic.c:1027) ← BUFFER OVERFLOW SOURCE
#5 b2b_handle_reply (b2b_logic/logic.c:1874)