[VOIPSEC] Actual Attacks - UA handling

Brian Rosen br at brianrosen.net
Mon Mar 7 06:34:54 CST 2005 

Yes.

Basically, the size of most text fields should not be limited anything close
to 256.  Generally, the spec allows text fields of any length, but in
practice a message has to fit in a packet, and thus you have an effective
limit of 64K for the message.  It's theoretically possible to have headers
in a message sent with TCP be longer than that, but I don't think you will
see anyone complain about limiting total message length to 64K.

Brian

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Ari Takanen
> Sent: Thursday, March 03, 2005 2:33 AM
> To: Mark Teicher
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Actual Attacks - UA handling
> 
> Hello Mark,
> 
> In the specification, there should be no restriction of having longer
> than 255 character user name. Having over 255 characters in the user
> name is not an overflow in itself, and can be valid in some
> scenarios. An implementation that just cuts user names to 255
> characters is just broken from SIP perspective. If the VoIP
> implementation happens to have an overflow in the parsing of the URI,
> you cannot protect from this by setting any hard limits in the
> implementation. We extensively test for problems like this in REGISTER
> also in our test tools, and I agree that behavior is different across
> implementations. Some crash and some don't :)
> 
> Best regards,
> 
> /Ari
> 
> --
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> Ari Takanen                       Codenomicon Ltd.
> ari.takanen at codenomicon.com       Kaitovayla 1
> tel: +358-40 50 67678             FIN-90570 Oulu
> http://www.codenomicon.com        Finland
> PGP: http://www.codenomicon.com/codenomicon-key.asc
> -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
> 
> On Tue, Mar 01, 2005 at 08:20:59AM -0500, Mark Teicher wrote:
> > Just validating whether a VOIP's implementation allows for buffer
> overflow in a URI over a REGISTER request over UDP is possible.
> > Most UA should not accept a malicious request over 255 characters as the
> username, but some of the major player implementations do, and no
> configuration option to restrict how many characters a UA should accept.
> >
> > /cheers
> > /
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list