[Home]

Summary:ASTERISK-27452: Security: chan_skinny: Memory exhaustion if flooded with unauthenticated requests
Reporter:George Joseph (gjoseph)Labels:
Date Opened:2017-11-30 12:08:37.000-0600Date Closed:2017-12-01 13:29:24.000-0600
Priority:CriticalRegression?
Status:Closed/CompleteComponents:Channels/chan_skinny
Versions:13.18.2 GIT 15.1.2 Frequency of
Occurrence
Constant
Related
Issues:
Environment:Attachments:( 0) AST-2017-013.txt
Description:If chan_skinny is flooded with requests, asterisk will quickly escalate virtual memory (but not resident memory) to the point where no new memory allocations are possible.
Comments:By: George Joseph (gjoseph) 2017-11-30 15:18:48.751-0600

Analysis:
chan_skinny creates a new thread for each new session. In trying to be a good cleanup citizen, the threads are joinable and the unload_module function does a pthread_cancel() and a pthread_join() on any sessions that are active at that time. This has an unintended side effect though. Since you can call pthread_join on a thread that's already terminated, pthreads keeps the thread's storage around until you explicitly call pthread_join (or pthread_detach()). Since only the module_unload function was calling pthread_join, and even then only on the ones active at the tme, the storage for every thread/session ever created sticks around until asterisk exits.
The solution was just to have every thread call pthread_detach() on itself before exiting.


By: Friendly Automation (friendly-automation) 2017-12-01 13:29:25.504-0600

Change 7412 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7412|https://gerrit.asterisk.org/7412]

By: Friendly Automation (friendly-automation) 2017-12-01 13:29:36.637-0600

Change 7413 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7413|https://gerrit.asterisk.org/7413]

By: Friendly Automation (friendly-automation) 2017-12-01 13:29:45.978-0600

Change 7411 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7411|https://gerrit.asterisk.org/7411]

By: Friendly Automation (friendly-automation) 2017-12-01 13:29:56.192-0600

Change 7414 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7414|https://gerrit.asterisk.org/7414]

By: Friendly Automation (friendly-automation) 2017-12-01 13:30:05.711-0600

Change 7415 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7415|https://gerrit.asterisk.org/7415]

By: Friendly Automation (friendly-automation) 2017-12-01 13:30:15.964-0600

Change 7416 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7416|https://gerrit.asterisk.org/7416]

By: Friendly Automation (friendly-automation) 2017-12-01 13:30:25.629-0600

Change 7417 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7417|https://gerrit.asterisk.org/7417]

By: Friendly Automation (friendly-automation) 2017-12-01 13:30:35.160-0600

Change 7418 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7418|https://gerrit.asterisk.org/7418]

By: Friendly Automation (friendly-automation) 2017-12-01 13:31:07.138-0600

Change 7419 merged by George Joseph:
AST-2017-013: chan_skinny: Call pthread_detach when sess threads end

[https://gerrit.asterisk.org/7419|https://gerrit.asterisk.org/7419]