Asterisk
  1. Asterisk
  2. ASTERISK-28013

res_http_websocket: Crash when reading HTTP Upgrade requests

    Details

      Description

      The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash.

      NOTE: A bug in ast_iostream_gets() currently gives 15+ versions some slight protection from req.txt causing a crash because the extra long header values are too long. The extra long lines cause the request to be rejected as a result. However, if they were 2K long with more of them to compensate we would still get the crash from blowing the stack.

      1. req.txt
        391 kB
        Sean Bright

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Friendly Automation added a comment -

          Change 10222 merged by Richard Mudgett:
          AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

          https://gerrit.asterisk.org/10222

          Show
          Friendly Automation added a comment - Change 10222 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests https://gerrit.asterisk.org/10222
          Hide
          Friendly Automation added a comment -

          Change 10221 merged by Richard Mudgett:
          AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

          https://gerrit.asterisk.org/10221

          Show
          Friendly Automation added a comment - Change 10221 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests https://gerrit.asterisk.org/10221
          Hide
          Friendly Automation added a comment -

          Change 10223 merged by Richard Mudgett:
          AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

          https://gerrit.asterisk.org/10223

          Show
          Friendly Automation added a comment - Change 10223 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests https://gerrit.asterisk.org/10223
          Hide
          Friendly Automation added a comment -

          Change 10224 merged by Richard Mudgett:
          AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

          https://gerrit.asterisk.org/10224

          Show
          Friendly Automation added a comment - Change 10224 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests https://gerrit.asterisk.org/10224
          Hide
          Friendly Automation added a comment -

          Change 10225 merged by Richard Mudgett:
          AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

          https://gerrit.asterisk.org/10225

          Show
          Friendly Automation added a comment - Change 10225 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests https://gerrit.asterisk.org/10225

            People

            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: