CVE-2021-43611

Vulnerability

A heap buffer over-read vulnerability exists in Belledonne Belle-sip versions before 5.0.20. When parsing a SIP message’s From header, the function belle_sip_string_to_backslash_less_unescaped_string in belle-sip/src/sip-header.c does not properly validate that a backslash character is followed by at least one additional byte before skipping it. An attacker can trigger this by placing a lone \ as the last character of the display name in the From header, causing the loop to read past the allocated buffer [1]. The issue was fixed in commit d3f0651 and released in version 5.0.20 [2].

Exploitation

An attacker only needs to send a crafted SIP message (such as an INVITE or CANCEL) with a From header display name ending in \. The message is processed by any application using the vulnerable library (e.g., Linphone). No authentication or prior position on the network is required — the attack can be delivered over the open SIP signaling channel. No user interaction beyond receiving the message is necessary [1][2].

Impact

Successful exploitation causes a heap over-read, which typically results in a segmentation fault and immediate crash of the application. The vulnerability is a denial-of-service (DoS) condition; there is no indication from the available references that code execution or data disclosure is possible. Affected services become unavailable until restarted [1][2].

Mitigation

Users should upgrade to Belle-sip 5.0.20 or later, released on September 8, 2021 [2]. If immediate upgrade is not possible, a workaround is to filter incoming SIP messages at the network edge to reject those with a From display name that ends with a bare backslash. No EOL status or KEV listing has been published [1][2].