[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [osip-dev] SUBSCRIBE forking

From: FEICHTER Christoph
Subject: Re: [osip-dev] SUBSCRIBE forking
Date: Thu, 13 Apr 2017 11:58:15 +0000

hi aymeric,


I currently only have the sources of eXosip 5.0.0; here it’s line 1053 in udp.c

yes – it’s the call of _eXosip_dialog_init_as_uac


… but according to RFC 3265 / RFC 6665 it is a valid use-case

to fork a SUBSCRIBE and generate additional dialogs with multiple NOTIFYs.

So, if you strictly allow only a single dialog per subscription,

you are on the safe side – but you disallow a feature, which should be possible !


What do you think about limiting the number of forks ? (e.g. to 8 oder 16, which could be a define)

we would only call _eXosip_dialog_init_as_uac  in case that the max. number of dialogs

in the matching subscription is not yet reached.

otherwise we should send a 481 – without generating a dialog !

.. or  ignore the NOTIFY request at all.






From: Aymeric Moizard [mailto:address@hidden
Sent: Donnerstag, 13. April 2017 12:36
To: FEICHTER Christoph
Cc: address@hidden
Subject: Re: [osip-dev] SUBSCRIBE forking


Hi Christoph,


I have partly discovered the issue (where NOTIFY with

different tag are accepted even if dialog is established)


Reading quickly the code, it seems the leak occurs on line 1133

of udp.c file? The dialog is replaced but not release?

(--line is calling _eXosip_dialog_init_as_uac--)


Do you confirm this is the leak?






2017-04-13 12:26 GMT+02:00 FEICHTER Christoph <address@hidden>:


hi aymeric,


we recently found out about a vulnerability of SIP regarding forking of SUBSCRIBE requests – which

also applies to eXosip.


The scenario is the following:

-          UAC subscribes an event

-          the UAS (subscribee) accepts and sends NOTIFY requests

-          the UAS generates for each NOTIFY request a new From-tag.


This makes it look for the subscriber as if the SUBSCRIBE request has been forked,

and multiple subscribes do send NOTIFYs !

In eXosip it seems to no make a difference, whether these NOTIFY requests are answered

by 200 Ok or a 456xx response. eXosip does create dialogs for each NOTIFY ..

.. and the memory consumption increases until we are out of memory.


What do you think about this vulnerability ?

Should we specify a max. number of forks for SUBSCRIBE ?


Regards and happy easter,




osip-dev mailing list



reply via email to

[Prev in Thread] Current Thread [Next in Thread]