Summary: | ASTERISK-27807: iostreams: Potential DoS when client connection closed prematurely | ||
Reporter: | Sean Bright (seanbright) | Labels: | security |
Date Opened: | 2018-04-16 14:04:45 | Date Closed: | 2018-06-11 12:37:19 |
Priority: | Blocker | Regression? | |
Status: | Closed/Complete | Components: | Core/HTTP |
Versions: | 15.3.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) AST-2018-007.pdf ( 1) reproduce.txt | |
Description: | Before Asterisk sends an HTTP response (at least in the case of errors), it attempts to read & discard the content of the request. If the client lies about the Content-Length, or the connection is closed from the client side before "Content-Length" bytes are sent, the request handling thread will busy loop. I tracked this down to the SSL handling in main/iostream.c.
I've attached a file that will help in reproducing this problem. You can test it against a running Asterisk 15 with the following: {noformat} cat reproduce.txt | openssl s_client -connect whatever.your.hostname.is.com:8089 -ign_eof {noformat} Once connected, just hit Ctrl-C and the Asterisk thread will start using 100% CPU. | ||
Comments: | By: Asterisk Team (asteriskteam) 2018-04-16 14:04:47.857-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Asterisk Team (asteriskteam) 2018-04-16 14:04:48.616-0500 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Sean Bright (seanbright) 2018-04-16 14:27:44.157-0500 I was unable to reproduce on Asterisk 13, so this appears to be iostreams only, and only when TLS is being used. By: Friendly Automation (friendly-automation) 2018-06-11 12:37:22.057-0500 Change 9152 merged by Kevin Harwell: AST-2018-007: iostreams potential DoS when client connection closed prematurely [https://gerrit.asterisk.org/9152|https://gerrit.asterisk.org/9152] By: Friendly Automation (friendly-automation) 2018-06-11 12:37:31.099-0500 Change 9169 merged by Kevin Harwell: AST-2018-007: iostreams potential DoS when client connection closed prematurely [https://gerrit.asterisk.org/9169|https://gerrit.asterisk.org/9169] By: Friendly Automation (friendly-automation) 2018-06-11 12:37:39.691-0500 Change 9155 merged by Kevin Harwell: AST-2018-007: iostreams potential DoS when client connection closed prematurely [https://gerrit.asterisk.org/9155|https://gerrit.asterisk.org/9155] By: Friendly Automation (friendly-automation) 2018-06-11 15:53:28.265-0500 Change 9171 merged by Kevin Harwell: AST-2018-007: iostreams potential DoS when client connection closed prematurely [https://gerrit.asterisk.org/9171|https://gerrit.asterisk.org/9171] |