Description

baresip seems to lack check on CSeq field in client's INVITE. The pcap attached shows that a client's INVITE without CSeq field is accepted by the server and 180, 200 are responded.

RFC3261 requires that client INVITE must contain CSeq field so an INVITE without CSeq seems to be invalid.

A valid SIP request formulated by a UAC MUST, at a minimum, contain the following header fields: To, From, CSeq, Call-ID, Max-Forwards, and Via; all of these header fields are mandatory in all SIP requests.

But since the server's response copies fields from the client request, the 180, 200 response sent by server also lacks the CSeq field (as shown in the pcap). So I think it would be good to check the CSeq field in client INVITE request and either ignore invalid request or send error messages back.

The From field of the response MUST equal the From header field of
the request. The Call-ID header field of the response MUST equal the
Call-ID header field of the request. The CSeq header field of the
response MUST equal the CSeq field of the request. The Via header
field values in the response MUST equal the Via header field values
in the request and MUST maintain the same ordering.

Environment

Baresip server v1.0.0

Ubuntu 18.04

baresip capture.zip