[pjsip] Invalid registration cause, STUN Message too long (WSAEMSGSIZE) error

Benny Prijono bennylp at pjsip.org
Thu Nov 22 23:00:03 EST 2007


Lafras Henning wrote:
> Hi Benny,
> 
> 
> I have come across the following strange situation:
> I have a soft phone running and trying to register to PJSUA,
> when PJSUA starts with STUN  it gets a
> Message too long (WSAEMSGSIZE) error and quits.
> 
> It does not happen if I don't use STUN,
> and it does not happen if I shut the soft phone down.
> 
> The registration details of the soft phone are invalid.

I see that the softphone sends REGISTER every 150 msec or so, so
it's quite interesting to be able to configure the softphone to do
nasty thing like this. :)

> Included is the wire-shark trace you can see the soft phone trying to 
> register, and ICMP indicating the port is not open.
> 
> When PJSUA starts you see it send the Stun binding request,
> BUT very strange ICMP continue to reply unreachable....
> (the port should be open by now ?)

Not quite. The STUN binding requests were mostly sent by the NAT
testing socket, and it was not sent from port 5060.

> The largest packet on the wire is 753 bytes.

Yes. The pjstun_get_mapped_addr() just didn't expect to receive STUN
messages this big, so it bailed out.

> I can reproduce the error, please advise if any further logs or tests 
> would be useful.
> 
> This can lead to DOS attacks.

I agree. I've committed a fix for this in
http://www.pjsip.org/trac/ticket/425. The workaround is ignore
recvfrom() and parsing error, and continue retransmitting the STUN
binding request upon encountering these errors.

(Fyi, this applies to the old/simple STUN in pjlib-util,
and not the new STUN in pjnath. The new STUN in pjnath should be
more robust against possible errors like this).

Thanks for catching this!

cheers,
  -benny


> 
> Regards
> 
> Lafras








More information about the pjsip mailing list