[Home]

Summary:ASTERISK-22007: chan_sip: segfault with invalid sdp
Reporter:Walter Doekes (wdoekes)Labels:
Date Opened:2013-07-03 16:15:56Date Closed:2013-08-27 13:06:01
Priority:CriticalRegression?
Status:Closed/CompleteComponents:Channels/chan_sip/General
Versions:1.8.22.0 10.12.2 10.12.2-digiumphones 11.4.0 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) AST-2013-005-1.8.15.diff
( 1) AST-2013-005-1.8.diff
( 2) AST-2013-005-10.diff
( 3) AST-2013-005-10-digiumphones.diff
( 4) AST-2013-005-11.2.diff
( 5) AST-2013-005-11.diff
( 6) invalid_sdp.xml
( 7) issueA22007_sdp_without_c_death.patch
Description:Imagine an INVITE with m audio, m video and c video.

Now we bypass (!sa && !vsa && !tsa && !isa) in process_sdp, but later on, the portno being > -1 gets us a ast_sockaddr_set_port(sa, portno); call. Even though sa is NULL.

Cheers,
Walter
OSSO
Comments:By: Matt Jordan (mjordan) 2013-07-03 16:16:39.957-0500

Privacy granted!

By: Walter Doekes (wdoekes) 2013-07-04 02:19:20.571-0500

For completeness sake.

=Backtrace=
{noformat}
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff40fe700 (LWP 1504)]
0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382
382 if (addr->ss.ss_family == AF_INET &&
(gdb) back
#0  0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382
#1  0x00007fffbcb3fa36 in process_sdp (p=0x7fffb0002a68, req=0x7ffff40fd260, t38action=1) at chan_sip.c:10640
#2  0x00007fffbcb98585 in handle_request_invite (p=0x7fffb0002a68, req=0x7ffff40fd260, addr=0x7ffff40fdcd0, seqno=1, recount=0x7ffff40fd210, e=0x7fffb0000ebf "sip:1000@127.0.0.1:5060",
   nounlock=0x7ffff40fd214) at chan_sip.c:25325
{noformat}

=Config files=
{noformat}
asterisk-trunk$ cat /etc/asterisk/sip.conf
[general]

asterisk-trunk$ cat /etc/asterisk/extensions.conf
[default]
exten => 1000,1,NoOp()
{noformat}

=SDP=
{noformat}
     m=audio [media_port] RTP/AVP 8 0
     m=video [media_port] RTP/AVP 8 0
     c=IN IP[media_ip_type] [media_ip]
{noformat}

=Versions=

trunk r393633 (vulnerable)
10 rCUSTOM (vulnerable)
1.8 r393627 (vulnerable)

I didn't test any others.

=Patch=

I initially improved the (!sa && !vsa && !tsa && !isa) checks to something like:
{noformat}
... && (sa || portno == -1) && (vsa || videoportno == -1) && ...
{noformat}

But then I figured that we might block some SDP used in the wild that didn't crash, and we'd be breaking things for them.

So instead I opted to add the checks as I did in {{issueA22007_sdp_without_c_death.patch}}.

By: Matt Jordan (mjordan) 2013-07-05 09:17:13.626-0500

Well... nuts. Thanks for catching this.

Given that there may be another security vulnerability or two currently in the tracker, we'll queue this up until we know the status of those.

By: Matt Jordan (mjordan) 2013-07-08 19:30:39.989-0500

Just to verify, I put together the SIPp scenario on this issue and confirmed that it does crash Asterisk.

By: Matt Jordan (mjordan) 2013-08-27 09:36:05.254-0500

We've got everything lined up finally to get the security release out. These should go out today, 08/27.