[Home]

Summary:ASTERISK-27640: SUBSCRIBE message with a large Accept value causes stack corruption
Reporter:Sandro Gauci (sandrogauci)Labels:patch security
Date Opened:2018-01-30 06:23:11.000-0600Date Closed:2018-02-21 10:38:34.000-0600
Priority:BlockerRegression?
Status:Closed/CompleteComponents:Channels/chan_pjsip
Versions:15.2.0 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) advisory.md
( 1) ASTERISK-27640.diff
( 2) extensions.conf
( 3) pjsip.conf
Description:A large SUBSCRIBE message with multiple malformed `Accept` headers will crash Asterisk due to stack corruption. Please see advisory.md for full details and script to reproduce the issue.

Configuration files are attached too.
Comments:By: Asterisk Team (asteriskteam) 2018-01-30 06:23:13.296-0600

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

By: Asterisk Team (asteriskteam) 2018-01-30 06:23:13.580-0600

The severity of this issue has been automatically downgraded from "Blocker" to "Major". The "Blocker" severity is reserved for issues which have been determined to block the next release of Asterisk. This severity can only be set by privileged users. If this issue is deemed to block the next release it will be updated accordingly during the triage process.

By: Asterisk Team (asteriskteam) 2018-01-30 06:23:13.829-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Sandro Gauci (sandrogauci) 2018-01-30 06:24:45.147-0600

advisory attached with full details

By: Sandro Gauci (sandrogauci) 2018-01-30 06:26:48.414-0600

config files of interest (generate your own keys)

By: George Joseph (gjoseph) 2018-01-30 08:49:55.168-0600

We're checking.


By: Joshua C. Colp (jcolp) 2018-02-06 04:42:00.029-0600

I've attached a patch which resolves this issue under testing, can you please confirm it works for you?

As well the problem is not the length of an Accept header. It is the number of Accept headers. If there are more than 32 then the problem occurs.

By: Sandro Gauci (sandrogauci) 2018-02-06 07:56:07.427-0600

thanks! Will test and let you know.

By: Sandro Gauci (sandrogauci) 2018-02-06 07:56:08.059-0600

thanks! Will test and let you know.

By: Sandro Gauci (sandrogauci) 2018-02-10 00:06:25.736-0600

Tested the patch and it looks like the issue has been fixed. Thanks!

By: Friendly Automation (friendly-automation) 2018-02-21 10:38:35.673-0600

Change 8322 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8322|https://gerrit.asterisk.org/8322]

By: Friendly Automation (friendly-automation) 2018-02-21 10:38:48.752-0600

Change 8315 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8315|https://gerrit.asterisk.org/8315]

By: Friendly Automation (friendly-automation) 2018-02-21 10:38:59.777-0600

Change 8316 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8316|https://gerrit.asterisk.org/8316]

By: Friendly Automation (friendly-automation) 2018-02-21 10:39:08.260-0600

Change 8317 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8317|https://gerrit.asterisk.org/8317]

By: Friendly Automation (friendly-automation) 2018-02-21 10:39:20.562-0600

Change 8321 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8321|https://gerrit.asterisk.org/8321]

By: Friendly Automation (friendly-automation) 2018-02-21 10:39:31.754-0600

Change 8320 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8320|https://gerrit.asterisk.org/8320]

By: Friendly Automation (friendly-automation) 2018-02-21 10:39:40.297-0600

Change 8319 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8319|https://gerrit.asterisk.org/8319]

By: Friendly Automation (friendly-automation) 2018-02-21 10:39:50.303-0600

Change 8318 merged by Joshua Colp:
AST-2018-004: Restrict the number of Accept headers in a SUBSCRIBE.

[https://gerrit.asterisk.org/8318|https://gerrit.asterisk.org/8318]