| Summary: | ASTERISK-26131: chan_sip: Crash Asterisk (in sip_request_call at chan_sip.c) by making a call to a single character in a dot pattern match | ||
| Reporter: | Dwayne Hubbard (dwayne) | Labels: | patch |
| Date Opened: | 2016-06-21 09:33:10 | Date Closed: | 2017-12-13 07:15:15.000-0600 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) backtrace.txt ( 1) dw-asterisk-11.17.1-dnid-crash.patch ( 2) dw-asterisk-master-dnid-crash.patch ( 3) extensions.conf ( 4) full.txt ( 5) logger.conf ( 6) messages.txt ( 7) modules.conf ( 8) rtp.conf ( 9) sip.conf | |
| Description: | I believe I may have found a potential security issue in Asterisk 11.17.1, 13.6.0, as well as Asterisk GIT-master-7c59f21. A soft phone user can crash Asterisk by making a call to a single character - '!' - which is stripped during DNID parsing resulting in an attempt to call AST_NONSTANDARD_APP_ARGS on an empty string. I was able to reproduce this using Blink, Zoiper, and MicroSIP against Asterisk 11.17.1, 13.6.0, as well as the GIT master revision above. Please see the attached patches for proposed fixes. I have signed the Source Code License Agreement multiple times, most recently under username 'dwayne'. Please let me know if there is anything else I can provide.
Thanks! | ||
| Comments: | By: Rusty Newton (rnewton) 2016-06-21 09:35:05.322-0500 You should be able to attach your patches now. Thanks Dwayne. By: Rusty Newton (rnewton) 2016-06-21 09:38:25.048-0500 Please attach the configuration necessary to reproduce and provide step by step instructions on how to reproduce. By: Dwayne Hubbard (dwayne) 2016-06-21 09:51:04.353-0500 DNID crash patches for Git master and 11.17.1 By: Rusty Newton (rnewton) 2016-06-22 09:00:30.192-0500 Please attach the configuration necessary to reproduce and provide step by step instructions on how to reproduce. Log output with DEBUG and a SIP trace would be excellent! By: Dwayne Hubbard (dwayne) 2016-06-22 10:12:05.941-0500 OK, gathering configuration files too. Do you need everything for config or just dialplan? By: Rusty Newton (rnewton) 2016-06-22 14:47:48.578-0500 Just the minimum necessary to reproduce the issue. From your description it sounds like possibly the channel driver config and the dialplan. By: Rusty Newton (rnewton) 2016-06-23 16:51:38.796-0500 I'm unable to reproduce or trigger the issue with a simple configuration and a call from Microsip to the ! character. I tired a variety of scenarios, dialing to ! with various dialplan entries and applications, but no luck. With your configuration, please include some basic instructions on how to cause the issue. Thanks! By: Dwayne Hubbard (dwayne) 2016-06-29 14:55:20.067-0500 Rusty, Is there anything else you need from me on this ? By: Rusty Newton (rnewton) 2016-08-03 17:19:26.657-0500 We are good I was able to reproduce it. I simply got busy with some other things. Sorry I took so long! By: Rusty Newton (rnewton) 2016-08-03 17:21:47.952-0500 Attaching my backtrace, messages and full log from the reproduced crash. I used Dwayne's configs and simply commented out the NAT and networking options that didn't apply to my environment. To trigger the crash for this particular backtrace I registered the testmicrosip phone and dialed "!". By: Corey Farrell (coreyfarrell) 2016-10-30 10:31:42.363-0500 [~dwayne]: Would you like to post your patch for review \[1\] so we can get this merged? If not please reply here giving me permission to take over your patch. \[1\] https://wiki.asterisk.org/wiki/display/AST/Code+Review By: Dwayne Hubbard (dwayne) 2016-11-16 09:53:27.171-0600 Corey, Sorry for the delayed response, I didn't immediately respond to your comment and then it fell through the cracks. I will gladly post the patch for review. Thanks! By: Corey Farrell (coreyfarrell) 2017-03-28 05:04:29.328-0500 [~dwayne]: Ping By: Friendly Automation (friendly-automation) 2017-12-13 07:15:16.226-0600 Change 7536 merged by Jenkins2: chan_sip: Don't crash in Dial on invalid destination [https://gerrit.asterisk.org/7536|https://gerrit.asterisk.org/7536] By: Friendly Automation (friendly-automation) 2017-12-13 07:27:40.751-0600 Change 7535 merged by Joshua Colp: chan_sip: Don't crash in Dial on invalid destination [https://gerrit.asterisk.org/7535|https://gerrit.asterisk.org/7535] By: Friendly Automation (friendly-automation) 2017-12-13 07:37:14.345-0600 Change 7534 merged by Jenkins2: chan_sip: Don't crash in Dial on invalid destination [https://gerrit.asterisk.org/7534|https://gerrit.asterisk.org/7534] | ||