Summary: | ASTERISK-22007: chan_sip: segfault with invalid sdp | ||
Reporter: | Walter Doekes (wdoekes) | Labels: | |
Date Opened: | 2013-07-03 16:15:56 | Date Closed: | 2013-08-27 13:06:01 |
Priority: | Critical | Regression? | |
Status: | Closed/Complete | Components: | Channels/chan_sip/General |
Versions: | 1.8.22.0 10.12.2 10.12.2-digiumphones 11.4.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) AST-2013-005-1.8.15.diff ( 1) AST-2013-005-1.8.diff ( 2) AST-2013-005-10.diff ( 3) AST-2013-005-10-digiumphones.diff ( 4) AST-2013-005-11.2.diff ( 5) AST-2013-005-11.diff ( 6) invalid_sdp.xml ( 7) issueA22007_sdp_without_c_death.patch | |
Description: | Imagine an INVITE with m audio, m video and c video.
Now we bypass (!sa && !vsa && !tsa && !isa) in process_sdp, but later on, the portno being > -1 gets us a ast_sockaddr_set_port(sa, portno); call. Even though sa is NULL. Cheers, Walter OSSO | ||
Comments: | By: Matt Jordan (mjordan) 2013-07-03 16:16:39.957-0500 Privacy granted! By: Walter Doekes (wdoekes) 2013-07-04 02:19:20.571-0500 For completeness sake. =Backtrace= {noformat} Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff40fe700 (LWP 1504)] 0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382 382 if (addr->ss.ss_family == AF_INET && (gdb) back #0 0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382 #1 0x00007fffbcb3fa36 in process_sdp (p=0x7fffb0002a68, req=0x7ffff40fd260, t38action=1) at chan_sip.c:10640 #2 0x00007fffbcb98585 in handle_request_invite (p=0x7fffb0002a68, req=0x7ffff40fd260, addr=0x7ffff40fdcd0, seqno=1, recount=0x7ffff40fd210, e=0x7fffb0000ebf "sip:1000@127.0.0.1:5060", nounlock=0x7ffff40fd214) at chan_sip.c:25325 {noformat} =Config files= {noformat} asterisk-trunk$ cat /etc/asterisk/sip.conf [general] asterisk-trunk$ cat /etc/asterisk/extensions.conf [default] exten => 1000,1,NoOp() {noformat} =SDP= {noformat} m=audio [media_port] RTP/AVP 8 0 m=video [media_port] RTP/AVP 8 0 c=IN IP[media_ip_type] [media_ip] {noformat} =Versions= trunk r393633 (vulnerable) 10 rCUSTOM (vulnerable) 1.8 r393627 (vulnerable) I didn't test any others. =Patch= I initially improved the (!sa && !vsa && !tsa && !isa) checks to something like: {noformat} ... && (sa || portno == -1) && (vsa || videoportno == -1) && ... {noformat} But then I figured that we might block some SDP used in the wild that didn't crash, and we'd be breaking things for them. So instead I opted to add the checks as I did in {{issueA22007_sdp_without_c_death.patch}}. By: Matt Jordan (mjordan) 2013-07-05 09:17:13.626-0500 Well... nuts. Thanks for catching this. Given that there may be another security vulnerability or two currently in the tracker, we'll queue this up until we know the status of those. By: Matt Jordan (mjordan) 2013-07-08 19:30:39.989-0500 Just to verify, I put together the SIPp scenario on this issue and confirmed that it does crash Asterisk. By: Matt Jordan (mjordan) 2013-08-27 09:36:05.254-0500 We've got everything lined up finally to get the security release out. These should go out today, 08/27. |