strip_body() causes crash when used on specific INVITE

[klarrimore]

This INVITE (where XXX.XX.XXX.XX is the OpenSIPS ip) causes OpenSIPS 1.10.5-tls and 1.11.5-tls and maybe others to crash on CentOS 6 when strip_body() is attempted.

INVITE sip:900972592546689@XXX.XX.XXX.XX;transport=UDP SIP/2.0
Supported: 
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE
Contact: 900972592546689 <sip:900972592546689@XXX.XX.XXX.XX:50236>
Via: SIP/2.0/UDP XXX.XX.XXX.XX:50236;branch=d95smf3k0te54dl3dauthozk5gpx505zukaokidsx8dle0qeogetnaf9un6wzur4j3jv6gc
Call-id: 589788f25a9969f51c504eb2a7361a8a@XXX.XX.XXX.XX
Cseq: 1 INVITE
From: 1001 <sip:1001@XXX.XX.XXX.XX>;tag=ddb044893807095baf1cf07269f03118
Max-forwards: 70
To: <sip:900972592546689@XXX.XX.XXX.XX>
Content-length: 123

v=0
o=anonymous 1312841870 1312841870 IN IP4 XXX.XX.XXX.XX
s=session
c=IN IP4 XXX.XX.XXX.XX
t=0 0
m=audio 2362 RTP/AVP 0

Dec 22 00:51:55 gw1 kernel: [38681399.049926] opensips[21078]: segfault at 8 ip 00007f254d54fcad sp 00007fff61fe0120 error 4 in sipmsgops.so[7f254d547000+11000]

[ionutrazvanionita]

fixed your issue both in 1.10 4f95a61 and 1.11 245b549 but, as the RFC 3261 states The Content-Type header field MUST be present if the body is not empty. so your example is an invalid SIP message. In that case I throwed a warning, but the body will still be stripped.

[klarrimore]

That INVITE came from an attacker so it's really a DoS issue.