Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Critical
-
Resolution: Fixed
-
Affects Version/s: 13.17.2, GIT, 15.0.0
Description
It appears we leak the struct ast_sip_session associated with any call that is rejected before being established. In the case of 488 this leak includes RTP instances, which can be easily exploited to use up all RTP ports.
chan_pjsip is vulnerable to any SIP client that it accepts inbound calls from. This issue was found using REF_DEBUG with the testsuite tests/channels/pjsip/sdp_offer_answer/incoming/off-nominal/multiple-media-stream/audio-video/codec-mismatch, specifically the uac-codec-mismatch.xml scenario leaks 2 RTP instances. I verified that a 15 minute delay before shutdown of Asterisk does not release the resources.
RTP instance creation occurs after the authentication step, so this can only be exploited if authentication is disabled or by users with SIP credentials. Still when an administrator gives someone SIP credentials they do not intend to give access to effectively shutdown Asterisk.
Issue Links
- is a clone of
-
SWP-10028 Loading...
I have not investigated any outbound scenario's, I cannot say for sure that this is an issue for outbound calls (like if we dial out and receive a 488 response). If we have any other call setup failures that can occur after the creation of RTP instances then we still need to check those for this bug. I'm not sure when the call reaches a state where it is fully established to ensure cleanup when the call ends.
Note: Other errors that occur earlier in the outbound call initiation process are not as much of an issue, they leak SIP session but no RTP ports. The 488 response is a bigger deal because it happens after the RTP instances are created. We leak SIP session's in path's where an inbound call is rejected by res_pjsip_session.c:new_invite().