[sr-dev] [kamailio/kamailio] Ctype UB in SIP URI parsing (Issue #4563)

Wed, 21 Jan 2026 02:49:00 -0800 

yuyz-cyber created an issue (kamailio/kamailio#4563)

Description
Kamailio evaluates ctype macros/functions (e.g., isalnum(), isdigit(), 
tolower()) on raw SIP message bytes stored in char without casting to (unsigned 
char) first. On platforms where char is signed, bytes ≥ 0x80 become negative 
and passing them to ctype APIs is C undefined behavior. This is remotely 
triggerable via malformed SIP messages containing non-ASCII bytes in URI/header 
components, and can result in unpredictable parsing behavior or crashes 
depending on libc/build.

Reproduction
Start Kamailio :
kamailio -f kamailio-basic.cfg -L /path/to/modules -Y /tmp/runtime_dir -n 1 -D 
-E
Send a SIP message with a high-bit byte in the Request-URI (literal byte 0x80 
after sip:):
import socket

msg = (
    b"OPTIONS sip:\x80 SIP/2.0\r\n"
    b"Via: SIP/2.0/UDP 127.0.0.1:5061;branch=z9hG4bK-poc\r\n"
    b"From: <sip:[email protected]>;tag=1\r\n"
    b"To: <sip:[email protected]>\r\n"
    b"Call-ID: [email protected]\r\n"
    b"CSeq: 1 OPTIONS\r\n"
    b"Content-Length: 0\r\n"
    b"\r\n"
)

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.bind(("127.0.0.1", 5061))
s.sendto(msg, ("127.0.0.1", 5060))
s.close()

Debugging Data
Representative call sites showing the UB pattern (ctype invoked on char without 
(unsigned char) cast):
parse_uri.c (line 645) (isalnum(*p))
parse_uri.c (line 656) (!isalnum(*p))
parse_identityinfo.c (line 302) (isalnum(*p))
strutils.c (line 849) (isdigit(hex_code) / tolower(hex_code))
strutils.c (line 874) (isalnum(*p))
(no core dump in my environment; this is a code-level undefined behavior report)
Log Messages
ERROR: <core> [core/resolve.c:1777]: sip_hostport2su(): could not resolve 
hostname: "€"

SIP Traffic
OPTIONS sip:\x80 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1:5061;branch=z9hG4bK-poc
From: <sip:[email protected]>;tag=1
To: <sip:[email protected]>
Call-ID: [email protected]
CSeq: 1 OPTIONS
Content-Length: 0

Additional Information
Kamailio Version - output of kamailio -v
version: kamailio 6.1.0-pre0 (x86_64/linux) 40c9f5-dirty
compiled on 18:09:23 Jan 19 2026 with clang clang version 10.0.0-4ubuntu1
Operating System:
Ubuntu 22.04.5 LTS (jammy)
Linux 6.6.87.2-microsoft-standard-WSL2 x86_64

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4563
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/[email protected]>
_______________________________________________
Kamailio - Development Mailing List -- [email protected]
To unsubscribe send an email to [email protected]
Important: keep the mailing list in the recipients, do not reply only to the 
sender!

Reply via email to