Details

      Description

      Imagine an INVITE with m audio, m video and c video.

      Now we bypass (!sa && !vsa && !tsa && !isa) in process_sdp, but later on, the portno being > -1 gets us a ast_sockaddr_set_port(sa, portno); call. Even though sa is NULL.

      Cheers,
      Walter
      OSSO

      1. AST-2013-005-1.8.15.diff
        5 kB
        Matt Jordan
      2. AST-2013-005-1.8.diff
        1 kB
        Matt Jordan
      3. AST-2013-005-10.diff
        26 kB
        Matt Jordan
      4. AST-2013-005-10-digiumphones.diff
        26 kB
        Matt Jordan
      5. AST-2013-005-11.2.diff
        2 kB
        Matt Jordan
      6. AST-2013-005-11.diff
        15 kB
        Matt Jordan
      7. invalid_sdp.xml
        1 kB
        Matt Jordan
      8. issueA22007_sdp_without_c_death.patch
        1 kB
        Walter Doekes

        Activity

        Hide
        Matt Jordan added a comment -

        Privacy granted!

        Show
        Matt Jordan added a comment - Privacy granted!
        Hide
        Walter Doekes added a comment -

        For completeness sake.

        =Backtrace=

        Program received signal SIGSEGV, Segmentation fault.
        [Switching to Thread 0x7ffff40fe700 (LWP 1504)]
        0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382
        382		if (addr->ss.ss_family == AF_INET &&
        (gdb) back
        #0  0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382
        #1  0x00007fffbcb3fa36 in process_sdp (p=0x7fffb0002a68, req=0x7ffff40fd260, t38action=1) at chan_sip.c:10640
        #2  0x00007fffbcb98585 in handle_request_invite (p=0x7fffb0002a68, req=0x7ffff40fd260, addr=0x7ffff40fdcd0, seqno=1, recount=0x7ffff40fd210, e=0x7fffb0000ebf "sip:1000@127.0.0.1:5060", 
            nounlock=0x7ffff40fd214) at chan_sip.c:25325
        

        =Config files=

        asterisk-trunk$ cat /etc/asterisk/sip.conf
        [general]
        
        asterisk-trunk$ cat /etc/asterisk/extensions.conf
        [default]
        exten => 1000,1,NoOp()
        

        =SDP=

              m=audio [media_port] RTP/AVP 8 0
              m=video [media_port] RTP/AVP 8 0
              c=IN IP[media_ip_type] [media_ip]
        

        =Versions=

        trunk r393633 (vulnerable)
        10 rCUSTOM (vulnerable)
        1.8 r393627 (vulnerable)

        I didn't test any others.

        =Patch=

        I initially improved the (!sa && !vsa && !tsa && !isa) checks to something like:

        ... && (sa || portno == -1) && (vsa || videoportno == -1) && ...
        

        But then I figured that we might block some SDP used in the wild that didn't crash, and we'd be breaking things for them.

        So instead I opted to add the checks as I did in issueA22007_sdp_without_c_death.patch.

        Show
        Walter Doekes added a comment - For completeness sake. =Backtrace= Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff40fe700 (LWP 1504)] 0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382 382 if (addr->ss.ss_family == AF_INET && (gdb) back #0 0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382 #1 0x00007fffbcb3fa36 in process_sdp (p=0x7fffb0002a68, req=0x7ffff40fd260, t38action=1) at chan_sip.c:10640 #2 0x00007fffbcb98585 in handle_request_invite (p=0x7fffb0002a68, req=0x7ffff40fd260, addr=0x7ffff40fdcd0, seqno=1, recount=0x7ffff40fd210, e=0x7fffb0000ebf "sip:1000@127.0.0.1:5060", nounlock=0x7ffff40fd214) at chan_sip.c:25325 =Config files= asterisk-trunk$ cat /etc/asterisk/sip.conf [general] asterisk-trunk$ cat /etc/asterisk/extensions.conf [default] exten => 1000,1,NoOp() =SDP= m=audio [media_port] RTP/AVP 8 0 m=video [media_port] RTP/AVP 8 0 c=IN IP[media_ip_type] [media_ip] =Versions= trunk r393633 (vulnerable) 10 rCUSTOM (vulnerable) 1.8 r393627 (vulnerable) I didn't test any others. =Patch= I initially improved the (!sa && !vsa && !tsa && !isa) checks to something like: ... && (sa || portno == -1) && (vsa || videoportno == -1) && ... But then I figured that we might block some SDP used in the wild that didn't crash, and we'd be breaking things for them. So instead I opted to add the checks as I did in issueA22007_sdp_without_c_death.patch .
        Hide
        Matt Jordan added a comment -

        Well... nuts. Thanks for catching this.

        Given that there may be another security vulnerability or two currently in the tracker, we'll queue this up until we know the status of those.

        Show
        Matt Jordan added a comment - Well... nuts. Thanks for catching this. Given that there may be another security vulnerability or two currently in the tracker, we'll queue this up until we know the status of those.
        Hide
        Matt Jordan added a comment -

        Just to verify, I put together the SIPp scenario on this issue and confirmed that it does crash Asterisk.

        Show
        Matt Jordan added a comment - Just to verify, I put together the SIPp scenario on this issue and confirmed that it does crash Asterisk.
        Hide
        Matt Jordan added a comment -

        We've got everything lined up finally to get the security release out. These should go out today, 08/27.

        Show
        Matt Jordan added a comment - We've got everything lined up finally to get the security release out. These should go out today, 08/27.

          People

          • Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development