| Summary: | ASTERISK-27279: Crash in pubsub_on_rx_request NULL pointer - Possible PJSIP Vulnerability | ||
| Reporter: | Ross Beer (rossbeer) | Labels: | pjsip |
| Date Opened: | 2017-09-19 09:34:48 | Date Closed: | 2017-09-20 08:01:49 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip_pubsub |
| Versions: | GIT | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Fedora 23 | Attachments: | ( 0) core-asterisk-3091-1505826693-thread1.txt ( 1) core-asterisk-3252-1505826711-thread1.txt ( 2) core-asterisk-3370-1505826727-thread1.txt ( 3) core-asterisk-3479-1505826761-thread1.txt ( 4) core-asterisk-3598-1505826778-thread1.txt |
| Description: | Crash when receiving a SUBSCRIBE request with no content type.
{noformat} #0 0x00007f8a3598d1a2 in pj_stricmp (str1=0x0, str2=0x7f89a9e3aab0) at ../include/pj/string_i.h:216 #1 0x00007f8a3598d2b1 in pj_stricmp2 (str1=0x0, str2=0x7f89bab14f5e "application") at ../include/pj/string_i.h:315 copy2 = {ptr = 0x7f89bab14f5e "application", slen = 11} #2 0x00007f89bab1226f in pubsub_on_rx_request (rdata=0x7f88ec0688d8) at res_pjsip_pubsub.c:3589 rdata = 0x7f88ec0688d8 #3 0x00007f89bab1226f in pubsub_on_rx_request (rdata=0x7f88ec0688d8) at res_pjsip_pubsub.c:3603 rdata = 0x7f88ec0688d8 {noformat} The segfault is caused by a NULL pointer in the following method: {noformat} static pj_bool_t pubsub_on_rx_notify_request(pjsip_rx_data *rdata) { if (pj_stricmp2(&rdata->msg_info.msg->body->content_type.type, "application") == 0 && pj_stricmp2(&rdata->msg_info.msg->body->content_type.subtype, "simple-message-summary") == 0) { return pubsub_on_rx_mwi_notify_request(rdata); } return PJ_FALSE; } {noformat} I would have expected PJSIP to have rejected the request due to the lack of content type however it appears to have passed without issue. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2017-09-19 09:34:49.819-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: George Joseph (gjoseph) 2017-09-19 10:19:55.707-0500 I can reproduce By: Friendly Automation (friendly-automation) 2017-09-20 08:01:50.092-0500 Change 6538 merged by Jenkins2: res_pjsip_pubsub: Check for Content-Type header in rx_notify_request [https://gerrit.asterisk.org/6538|https://gerrit.asterisk.org/6538] By: Friendly Automation (friendly-automation) 2017-09-20 08:12:55.027-0500 Change 6540 merged by Jenkins2: res_pjsip_pubsub: Check for Content-Type header in rx_notify_request [https://gerrit.asterisk.org/6540|https://gerrit.asterisk.org/6540] By: Friendly Automation (friendly-automation) 2017-09-20 08:13:28.710-0500 Change 6539 merged by Joshua Colp: res_pjsip_pubsub: Check for Content-Type header in rx_notify_request [https://gerrit.asterisk.org/6539|https://gerrit.asterisk.org/6539] By: Friendly Automation (friendly-automation) 2017-09-20 09:16:25.601-0500 Change 6541 merged by Jenkins2: res_pjsip_pubsub: Check for Content-Type header in rx_notify_request [https://gerrit.asterisk.org/6541|https://gerrit.asterisk.org/6541] | ||