[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [osip-dev] SUBSCRIBE forking

From: Aymeric Moizard
Subject: Re: [osip-dev] SUBSCRIBE forking
Date: Thu, 13 Apr 2017 12:35:53 +0200

Hi Christoph,

I have partly discovered the issue (where NOTIFY with
different tag are accepted even if dialog is established)

Reading quickly the code, it seems the leak occurs on line 1133
of udp.c file? The dialog is replaced but not release?
(--line is calling _eXosip_dialog_init_as_uac--)

Do you confirm this is the leak?


2017-04-13 12:26 GMT+02:00 FEICHTER Christoph <address@hidden>:


hi aymeric,


we recently found out about a vulnerability of SIP regarding forking of SUBSCRIBE requests – which

also applies to eXosip.


The scenario is the following:

-          UAC subscribes an event

-          the UAS (subscribee) accepts and sends NOTIFY requests

-          the UAS generates for each NOTIFY request a new From-tag.


This makes it look for the subscriber as if the SUBSCRIBE request has been forked,

and multiple subscribes do send NOTIFYs !

In eXosip it seems to no make a difference, whether these NOTIFY requests are answered

by 200 Ok or a 456xx response. eXosip does create dialogs for each NOTIFY ..

.. and the memory consumption increases until we are out of memory.


What do you think about this vulnerability ?

Should we specify a max. number of forks for SUBSCRIBE ?


Regards and happy easter,




osip-dev mailing list

Antisip - http://www.antisip.com

reply via email to

[Prev in Thread] Current Thread [Next in Thread]