| Summary: | ASTERISK-27152: Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash | ||
| Reporter: | Ross Beer (rossbeer) | Labels: | Security pjsip |
| Date Opened: | 2017-07-24 07:46:02 | Date Closed: | 2017-08-31 06:14:12 |
| Priority: | Critical | Regression? | |
| Status: | Closed/Complete | Components: | |
| Versions: | 13.15.0 14.4.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Easily reproducable. Send any message to asterisk with "From: tel:+1000" in the headers.
The crash is in pjsip_message_ip_updater.c:sanitize_tdata. When we respond with even a 401, that function is called but it assumes that the From, To, and Contact uris are sip uris and casts the header's URI to {{pjsip_sip_uri *uri}}. It then tries to call pjsip_param_find on {{uri->other_param}}. Since the uri is actually a tel uri and {{other_param}} isn't at the same offset in {{pjsip_sip_uri}} as it is in {{pjsip_tel_uri}}, we get a crash. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2017-07-24 07:46:03.980-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Friendly Automation (friendly-automation) 2017-08-31 06:14:13.363-0500 Change 6350 merged by Joshua Colp: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6350|https://gerrit.asterisk.org/6350] By: Friendly Automation (friendly-automation) 2017-08-31 06:14:34.967-0500 Change 6360 merged by Joshua Colp: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6360|https://gerrit.asterisk.org/6360] By: Friendly Automation (friendly-automation) 2017-08-31 06:38:50.980-0500 Change 6349 merged by Jenkins2: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6349|https://gerrit.asterisk.org/6349] By: Friendly Automation (friendly-automation) 2017-08-31 06:40:47.395-0500 Change 6355 merged by Joshua Colp: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6355|https://gerrit.asterisk.org/6355] By: Friendly Automation (friendly-automation) 2017-08-31 07:54:26.663-0500 Change 6351 merged by Joshua Colp: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6351|https://gerrit.asterisk.org/6351] By: Friendly Automation (friendly-automation) 2017-08-31 07:59:44.680-0500 Change 6363 merged by Joshua Colp: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6363|https://gerrit.asterisk.org/6363] By: Friendly Automation (friendly-automation) 2017-08-31 08:32:22.739-0500 Change 6352 merged by Jenkins2: pjsip_message_ip_updater: Fix issue handling "tel" URIs [https://gerrit.asterisk.org/6352|https://gerrit.asterisk.org/6352] | ||