Summary: | ASTERISK-26348: chan_sip: File descriptors leak (UDP sockets) also triggered by same-callid | ||
Reporter: | Walter Doekes (wdoekes) | Labels: | |
Date Opened: | 2016-09-09 04:38:17 | Date Closed: | 2016-10-31 13:26:56 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) oinv-i40X-oinv-w-auth.xml | |
Description: | re: http://downloads.asterisk.org/pub/security/AST-2016-007.html
*The good news:* ASTERISK-26272 fixes this issue. *The bad news:* Setting {{allowoverlap=no}} is not sufficient to close the RTP leak. You can trigger the leak as well by setting up a second call with the same call-id before ACKing the 404 of the first call. Example SIPp XML is attached. It expects the extension {{whatever}} to not exist (return 404). For {{allowguest=yes}} the scenario is sufficient. For authenticated sessions you'll need to pass {{-s}} and {{-ap}} to SIPp. Cheers, Walter Doekes OSSO B.V. | ||
Comments: | By: Asterisk Team (asteriskteam) 2016-09-09 04:38:18.594-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Corey Farrell (coreyfarrell) 2016-10-30 10:17:41.148-0500 I think I saw an updated security advisory, does that mean this issue can be closed? By: Rusty Newton (rnewton) 2016-10-31 13:26:56.785-0500 Removed viewing restrictions and closing it out. Correct, the advisory was updated: http://downloads.asterisk.org/pub/security/AST-2016-007.html |