Yate (Yet Another Telephony Engine) is "a production-ready next-generation telephony engine". The SIP channel module of Yate contains a denial of service vulnerability, introduced by a null pointer dereference, which could be provoked by having the SIP module process SIP messages containing the "Call-Info" header, without the "purpose" parameter as part of its value.
Credit:
The information has been provided by Yuri Gushin.
1: const SIPHeaderLine* hl = m_tr->initialMessage()->getHeader("Call-Info");
2: if (hl) {
3: const NamedString* type = hl->getParam("purpose");
4: if (!type || *type == "info")
5: mp type->addParam("caller_info_uri",*type);
6: else if (*type == "icon")
7: m->addParam("caller_icon_uri",*type);
8: else if (*type == "card")
9: m->addParam("caller_card_uri",*type);
10: }
Once the "Call-Info" header is found in the SIP message (line 1), there is an attempt to extract the "purpose" parameter (line 3). Afterwards, a decision is made to set the "caller_info_uri" parameter (line 5) to the value of the "Call-Info" header, though due to a programming error, instead of assigning the parameter with the header value, it is being assigned with the value of the "purpose" parameter - allowing for a null pointer dereference, when the call to getParam() (line 3) returns 0 in case of a missing "purpose" parameter.
