After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 529082 - Remote denial of service
Remote denial of service
Status: RESOLVED OBSOLETE
Product: ekiga
Classification: Applications
Component: general
2.0.x
Other Linux
: Normal normal
: ---
Assigned To: Ekiga maintainers
Ekiga maintainers
: 548686 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2008-04-20 17:56 UTC by nnp
Modified: 2011-01-25 09:23 UTC
See Also:
GNOME target: ---
GNOME version: 2.19/2.20

Attachments
Proof of concept (33.59 KB, text/plain)
2008-04-20 17:58 UTC, nnp 		Details

Description nnp 2008-04-20 17:56:19 UTC 
It is possible to cause a crash in Ekiga by sending a SIP request with exceptionally long elements in the From field that get displayed to the user when a notification for an incoming call is created.

The following output is produced

nnp@ubuntu:~$ ekiga
The program 'ekiga' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAlloc (insufficient resources for operation)'.
  (Details: serial 2017 error_code 11 request_code 53 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
Segmentation fault (core dumped)
Comment 1 nnp 2008-04-20 17:58:37 UTC 
Created attachment 109592 [details]
Proof of concept

This python script should recreate the issue. Run it as follows

python ekiga_dos.py IP PORT
Comment 2 Eugen Dedu 2008-08-13 12:45:48 UTC 
I confirm this bug.  Start ekiga and execute "python ekiga_dos.py myIPaddr 5060".  It's a bug in opal, SVN included.

For me, at least, the problem is not that the From field is long (I removed nearly all the 'B'), but that GetSDP sees that sdp is null, hence it triggers this assertion error.  File opal/src/sip/sipcon.cxx, function SIPConnection::GetMediaFormats, line
  SDPSessionDescription & sdp = originalInvite->GetSDP();
Comment 3 Yannick 2008-08-20 15:32:43 UTC 
*** Bug 548686 has been marked as a duplicate of this bug. ***
Comment 4 Damien Sandras 2008-08-27 20:59:58 UTC 
Well, I can not reproduce the problem here. (there is a SDP).

Having a NULL SDP in an incoming INVITE is not normal, so printing an asserting is not that bad.
Comment 5 Yannick 2008-08-31 18:31:46 UTC 
I tested version from 30/08, and there was no crash anymore.

Yannick
Comment 6 Jan Schampera 2008-09-13 07:29:51 UTC 
I can't crash it either. But I saw (dunno if that's related to something else, so feel free to open another bugreport):

- once you click "Accept" in the desktop notify thing (which fails, clear), then you can't call it with that thing anymore.

I don't have a possibility to test if that's a general issue or not, now.

Again: The crash per se doesn't happen.
Comment 7 Eugen Dedu 2011-01-25 09:23:56 UTC 
Tested with current master: no crash, can call 500 afterwards, 520 too.  If you refuse the call, you have to wait 10-20 seconds, since ekiga tries to send the answer, which is too big for an UDP packet (33kB), until timeout.  So closing.