[VOIPSEC] Actual Attacks - UA handling
br at brianrosen.net
Tue Mar 1 16:59:33 GMT 2005
While a registrar may choose to limit the size of a username to 256, a
firewall or SBC should not make such an assumption.
When using UDP, life is easy, because you have a max PDU size. You should
accept a SIP message that is at least that large, and any component in it
should be that large.
With TCP, you don't have that crutch. The body must have a length
(Content-Length), but there is no limit in the spec on the size of the
Most implementations use some reasonable limit like 64K. Every field in the
headers should be allowed to be that big unless the spec limits the size.
Most text fields do not have limits. It's pretty straightforward to allow
any field to be up to 64K without having to allocate buffers that size for
each item in advance.
I agree that Registrar's should have a local policy that allows the
administrator to limit the size of names. Firewalls and other middleboxes
have no way to know what those limits are.
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Mark Teicher
> Sent: Tuesday, March 01, 2005 8:21 AM
> To: Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Actual Attacks - UA handling
> Just validating whether a VOIP's implementation allows for buffer overflow
> in a URI over a REGISTER request over UDP is possible.
> Most UA should not accept a malicious request over 255 characters as the
> username, but some of the major player implementations do, and no
> configuration option to restrict how many characters a UA should accept.
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec