ASTERISK-25481: res_pjsip listens on undefined UDP port, even with no transports configured

[Home]

Summary: ASTERISK-25481: res_pjsip listens on undefined UDP port, even with no transports configured

Reporter: Peter Pfannenschmid (Binarus) Labels:

Date Opened: 2015-10-20 12:11:27 Date Closed:

Priority: Major Regression?

Status: Open/New Components: Documentation pjproject/pjsip

Versions: 13.6.0 Frequency of
Occurrence Constant

Related
Issues:

Environment: Debian wheezy x64 (up-to-date), Asterisk 13.6.0, PJSIP 2.4.5 Attachments: ( 0) menuselect.makeopts

Description: Asterisk / PJSIP open at least one unwanted UDP port when being started.

Steps to reproduce:

1) Download, configure, compile and make install PJSIP 2.4.5.
2) Download Asterisk 13.6.0, configure and make menuselect *LIKE DESCRIBED BELOW*, then make install.
3) Fire up Asterisk by asterisk -gc.
4) Using netstat, observe something like:
>netstat -apnv | grep asterisk
udp 0 0 192.168.20.48:5060 0.0.0.0:* 26419/asterisk
udp 0 0 0.0.0.0:38827 0.0.0.0:* 26419/asterisk

The first line is expected, of course, but the second isn't. The port shown on the second line changes every time Asterisk is restarted.

Regarding menuselect: I have slimmed my Asterisk installation as much as it was possible taking my needs into account. This means there is no module which should open an additional port. I have attached my menuselect.makeopts file to facilitate reproducing the issue.

I have tagged this as critical because Asterisk / PJSIP unexpectedly opening a port is quite threatening, letting aside the fact that it does so on all IP addresses, thereby ignoring the configuration of the transport

Maybe it's a newbie's fault and I have overlooked something, but on the other hand, I got no answer to that on the mailing list, so obviously the reason for that port being open is unknown, and that is critical, isn't it?

Comments: By: Asterisk Team (asteriskteam) 2015-10-20 12:11:28.538-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Peter Pfannenschmid (Binarus) 2015-10-20 12:13:19.773-0500

Attaching menuselect.makeopts to facilitate reproducing the problem.
By: Rusty Newton (rnewton) 2015-10-21 17:23:09.032-0500

Thanks for the makeopts. Are you using sample config files? If not, can you attach the configuration in use? (if it is only a few files attach as .txt for accessiblity).
By: Peter Pfannenschmid (Binarus) 2015-10-22 11:15:26.479-0500

I think I don't need to upload my configuration files: After compiling and installing, do "rm -r /etc/asterisk" (in case there is an old one in place) and then "make samples". Then start Asterisk by doing "asterisk -gc" (this will get you some warnings on the Asterisk console because the sample configuration does not fit well with the module configuration) and observe the following:

>netstat -apnv | grep asterisk
udp 0 0 0.0.0.0:36973 0.0.0.0:* 26419/asterisk

As you can see, the open port 5060 now isn't there any more (this is expected since there is no reasonable PJSIP configuration active with the sample files, notably there is no transport configured), but the unwanted port is still open.

By: Peter Pfannenschmid (Binarus) 2015-10-22 11:18:14.030-0500

Why has this been triaged again?
By: Rusty Newton (rnewton) 2015-10-30 15:30:20.357-0500

It was triaged as part of the normal process, because we needed to triage it. I've just looked into it and found pretty much what you have.

Tested with Asterisk GIT-13-9a021a4

Potential security issue depending on what can happen when someone hits this port.

* Asterisk, built with pjproject and res_pjsip listens on an undefined port (usually in the 30 - 50K range)
* Occurs with transports configured or not.
* I noloaded all pjsip relevant modules except res_pjsip and the problem still occurs. After noloading res_pjsip itself the problem does not occur.
* The configuration in pjsip.conf doesn't seem to affect the result.
* Each time Asterisk is stopped and started a different port is used.
* I verified the problem occurs with all sample configuration loaded.
* The menuselect configuration doesn't appear to matter too much. It seems to occur as long as res_pjsip (only that single module) is loaded.

I sent some calls to the port to see how Asterisk would respond. The pjsip logger when loaded doesn't catch anything. However we do see some activity in debug:

{noformat}
*CLI> [Oct 30 15:25:41] DEBUG[28684]: pjsip:0 <?>: resolver.c Received 512 bytes DNS response from 10.24.19.188:64316
[Oct 30 15:25:41] DEBUG[28684]: pjsip:0 <?>: resolver.c Error parsing DNS response from 10.24.19.188:64316: Not enough memory (PJ_ENOMEM)
[Oct 30 15:25:41] DEBUG[28684]: pjsip:0 <?>: resolver.c Received 512 bytes DNS response from 10.24.19.188:64316
[Oct 30 15:25:41] DEBUG[28684]: pjsip:0 <?>: resolver.c Error parsing DNS response from 10.24.19.188:64316: Not enough memory (PJ_ENOMEM)
[Oct 30 15:25:42] DEBUG[28684]: pjsip:0 <?>: resolver.c Received 512 bytes DNS response from 10.24.19.188:64316
[Oct 30 15:25:42] DEBUG[28684]: pjsip:0 <?>: resolver.c Error parsing DNS response from 10.24.19.188:64316: Not enough memory (PJ_ENOMEM)
[Oct 30 15:25:44] DEBUG[28684]: pjsip:0 <?>: resolver.c Received 512 bytes DNS response from 10.24.19.188:64316
[Oct 30 15:25:44] DEBUG[28684]: pjsip:0 <?>: resolver.c Error parsing DNS response from 10.24.19.188:64316: Not enough memory (PJ_ENOMEM)
{noformat}
By: Rusty Newton (rnewton) 2015-10-30 15:37:24.490-0500

Opening this up for a developer to look at. I'm locking down the issue temporarily as well since this could be a security issue.
By: Rusty Newton (rnewton) 2015-10-30 16:06:08.096-0500

Looks like it is the DNS port for PJSIP. It should be benign, though we need to document this better and possibly question whether we should have it be configurable.
By: Peter Pfannenschmid (Binarus) 2015-10-31 09:15:16.227-0500

Rusty, thank you very much for looking into this. I really have been concerned about it.

I still have a question: What exactly do you mean by "DNS port for PJSIP"? Does PJSIP have an own DNS server / resolver built in? I don't remember having seen related options when doing ./configure --help in the PJSIP source tree. What would be the sense of an extra DNS server / resolver in PJSIP?

Or is this port from asterisk acting as a DNS *client*? But why should it be open then?

By: Joshua C. Colp (jcolp) 2015-11-05 19:54:59.883-0600

PJSIP has a DNS resolver built in, it acts as a DNS client. Since DNS resolution can occur over both TCP and UDP it requires a UDP port to be open to receive responses.