SIP Torture Tests
Legal but likely not implemented
- whitespace everywhere (around colons, around semicolons);
- no space after colons;
- continuation lines: everywhere there can be whitespace (including
around colons, around semicolons, after colons, in the middle of things
like CSeq and Via);
- case: cAmEl CaSe headers, other case-insensitive fields;
- empty values in unstructured headers (e.g. Subject);
- unknown Require/Proxy-Require headers;
- Surprising header ordering (Via last, Via in the middle);
- Comma-separated values;
- Mixed comma-separated and header-separated values for the same
header;
- Expires after 2000, after 2038, after 9999 (five-digit years
aren't legal, but the implementation shouldn't crash);
- Expires: 1;
- Unknown schemes in Request-URI, To, From, Contact (is this really
legal for INVITE)?
- Unknown header field names;
- Unknown parameters of known headers;
- Check how header formatting gets through a proxy;
- INVITE Requests with Accept: but not listing
application/sdp;
- INVITE Requests without application/sdp payloads;
- INVITE to a multicast session;
- INVITE with "blank" SDP (e.g., for H.323 interop);
- Unknown methods (for proxies);
- Unknown authentication schemes;
- Multiple requests in a UDP packet;
- Extra bytes at end of UDP packet;
- Christmas-tree Via headers;
- Dozens of Via headers (there should be no limit, beyond message size
constraints, to the number of Via headers understood);
- Very long messages, up to UDP maximum packet size (i.e., including
fragmentation and reassembly);
- Short-form, long-form, both for the same header field;
- Evil quoting games: "This ends with a backslash: \\"
"This ends with a backslash and a quote: \\\""
- Extra whitespace between requests (this is legal!)
- versions other than SIP/2.0
- Extremely long URLs, To and From fields (to make sure SIP
implementations don't become vehicles for buffer overrun attacks)
- URLs containing semicolons in the "user" part
SDP
- Various charsets.
- Future sessions.
- Several session dates and repeats, as in sdr.
Not Likely to be Implemented Yet
Illegal but shouldn't crash you:
- CSeq out of order
- missing any or all of To/From/Call-ID/CSeq
- multiple of any or all of To/From/Call-ID/CSeq
- multiple of other non-repeatable headers
- empty values or parameters (,, or ;;)
- CSeq method and Header method disagree
- gibberish in Request-URI
- broken Date fields; syntactically or semantically
- case-sensitive fields in the wrong case (E.g., invite sip://foo)
- Via: 255.255.255.255
- Via: 127.0.0.1
- Via: nonexistenthost.example.com
- wrong Content-length
- garbage after request
- un-terminated quotes
- un-terminated < in Contact
- splitting request and response across TCP connections
- out-of-range status code (e.g., 704)
- appropriate handling of unexpected protocols (e.g. "GET /~hgs/sip/
HTTP/1.1")
Undefined Behavior
- multicast requests that require authentication (401)
Last updated
by Henning Schulzrinne