| Summary: | ASTERISK-27345: res_pjsip_session: RTP instances leak on 488 responses. | ||
| Reporter: | Corey Farrell (coreyfarrell) | Labels: | Security pjsip |
| Date Opened: | 2017-10-15 11:16:43 | Date Closed: | 2017-11-08 09:21:28.000-0600 |
| Priority: | Critical | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip Resources/res_pjsip_sdp_rtp Resources/res_pjsip_session |
| Versions: | 13.17.2 GIT 15.0.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | It appears we leak the {{struct ast_sip_session}} associated with any call that is rejected before being established. In the case of 488 this leak includes RTP instances, which can be easily exploited to use up all RTP ports.
chan_pjsip is vulnerable to any SIP client that it accepts inbound calls from. This issue was found using REF_DEBUG with the testsuite {{tests/channels/pjsip/sdp_offer_answer/incoming/off-nominal/multiple-media-stream/audio-video/codec-mismatch}}, specifically the {{uac-codec-mismatch.xml}} scenario leaks 2 RTP instances. I verified that a 15 minute delay before shutdown of Asterisk does not release the resources. RTP instance creation occurs after the authentication step, so this can only be exploited if authentication is disabled or by users with SIP credentials. Still when an administrator gives someone SIP credentials they do not intend to give access to effectively shutdown Asterisk. | ||
| Comments: | By: Corey Farrell (coreyfarrell) 2017-10-15 11:45:47.917-0500 I have not investigated any outbound scenario's, I cannot say for sure that this is an issue for outbound calls (like if we dial out and receive a 488 response). If we have any other call setup failures that can occur after the creation of RTP instances then we still need to check those for this bug. I'm not sure when the call reaches a state where it is fully established to ensure cleanup when the call ends. Note: Other errors that occur earlier in the outbound call initiation process are not as much of an issue, they leak SIP session but no RTP ports. The 488 response is a bigger deal because it happens after the RTP instances are created. We leak SIP session's in path's where an inbound call is rejected by {{res_pjsip_session.c:new_invite()}}. By: Friendly Automation (friendly-automation) 2017-11-08 09:21:29.529-0600 Change 7135 merged by Jenkins2: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7135|https://gerrit.asterisk.org/7135] By: Friendly Automation (friendly-automation) 2017-11-08 09:45:04.659-0600 Change 7137 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7137|https://gerrit.asterisk.org/7137] By: Friendly Automation (friendly-automation) 2017-11-08 09:45:13.209-0600 Change 7138 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7138|https://gerrit.asterisk.org/7138] By: Friendly Automation (friendly-automation) 2017-11-08 09:45:30.061-0600 Change 7134 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7134|https://gerrit.asterisk.org/7134] By: Friendly Automation (friendly-automation) 2017-11-08 09:45:50.837-0600 Change 7140 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7140|https://gerrit.asterisk.org/7140] By: Friendly Automation (friendly-automation) 2017-11-08 09:46:01.073-0600 Change 7141 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7141|https://gerrit.asterisk.org/7141] By: Friendly Automation (friendly-automation) 2017-11-08 09:46:05.829-0600 Change 7136 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7136|https://gerrit.asterisk.org/7136] By: Friendly Automation (friendly-automation) 2017-11-08 09:46:10.094-0600 Change 7139 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7139|https://gerrit.asterisk.org/7139] By: Friendly Automation (friendly-automation) 2017-11-08 09:46:13.784-0600 Change 7142 merged by George Joseph: AST-2017-011 - res_pjsip_session: session leak when a call is rejected [https://gerrit.asterisk.org/7142|https://gerrit.asterisk.org/7142] | ||