| Summary: | ASTERISK-28013: res_http_websocket: Crash when reading HTTP Upgrade requests | ||
| Reporter: | Sean Bright (seanbright) | Labels: | security |
| Date Opened: | 2018-08-16 11:07:00 | Date Closed: | 2018-09-20 12:31:03 |
| Priority: | Blocker | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_http_websocket |
| Versions: | 13.22.0 14.7.7 15.5.0 16.0.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) req.txt | |
| Description: | The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash.
NOTE: A bug in ast_iostream_gets() currently gives 15+ versions some slight protection from [^req.txt] causing a crash because the extra long header values are too long. The extra long lines cause the request to be rejected as a result. However, if they were 2K long with more of them to compensate we would still get the crash from blowing the stack. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2018-08-16 11:07:02.869-0500 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Asterisk Team (asteriskteam) 2018-08-16 11:07:03.513-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Sean Bright (seanbright) 2018-08-16 11:09:11.415-0500 Sample request that causes the crash By: Friendly Automation (friendly-automation) 2018-09-20 12:31:04.528-0500 Change 10216 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10216|https://gerrit.asterisk.org/10216] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:11.074-0500 Change 10217 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10217|https://gerrit.asterisk.org/10217] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:16.303-0500 Change 10218 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10218|https://gerrit.asterisk.org/10218] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:23.314-0500 Change 10219 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10219|https://gerrit.asterisk.org/10219] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:26.766-0500 Change 10220 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10220|https://gerrit.asterisk.org/10220] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:31.672-0500 Change 10222 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10222|https://gerrit.asterisk.org/10222] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:37.700-0500 Change 10221 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10221|https://gerrit.asterisk.org/10221] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:43.596-0500 Change 10223 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10223|https://gerrit.asterisk.org/10223] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:48.433-0500 Change 10224 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10224|https://gerrit.asterisk.org/10224] By: Friendly Automation (friendly-automation) 2018-09-20 12:31:52.988-0500 Change 10225 merged by Richard Mudgett: AST-2018-009: Fix crash processing websocket HTTP Upgrade requests [https://gerrit.asterisk.org/10225|https://gerrit.asterisk.org/10225] | ||