[Home]

Summary:ASTERISK-28570: Potential infinite loop in function find_matching_priority
Reporter:Yoooooo Ha (Yooooooha)Labels:
Date Opened:2019-10-07 08:54:00Date Closed:2019-10-22 12:00:03
Priority:MajorRegression?
Status:Closed/CompleteComponents:Applications/app_while
Versions:16.6.0 Frequency of
Occurrence
Related
Issues:
Environment:NoAttachments:
Description:Summary: Potential infinite loop in function find_matching_priority.

{code}
static struct ast_exten *find_matching_priority(struct ast_context *c,
const char *exten, int priority, const char *callerid)
{
        struct ast_exten *e;
        struct ast_context *c2;
        int idx;

        for (e=ast_walk_context_extensions(c, NULL); e; e=ast_walk_context_extensions(c, e)) {
                if (ast_extension_match(ast_get_extension_name(e), exten)) {
                        int needmatch = ast_get_extension_matchcid(e);
                        if ((needmatch && ast_extension_match(ast_get_extension_cidmatch(e), callerid)) ||
                                (!needmatch)) {
                                /* This is the matching extension we want */
                                struct ast_exten *p;
                                for (p=ast_walk_extension_priorities(e, NULL); p; p=ast_walk_extension_priorities(e, p)) {
                                        if (priority != ast_get_extension_priority(p))
                                                continue;
                                        return p;
                                }
                        }
                }
        }

        /* No match; run through includes */
        for (idx = 0; idx < ast_context_includes_count(c); idx++) {
                const struct ast_include *i = ast_context_includes_get(c, idx);

                for (c2=ast_walk_contexts(NULL); c2; c2=ast_walk_contexts(c2)) {
                        if (!strcmp(ast_get_context_name(c2), ast_get_include_name(i))) {
                                e = find_matching_priority(c2, exten, priority, callerid);
                                if (e)
                                        return e;
                        }
                }
        }
        return NULL;
}
{code}

Function find_matching_priority is a recursive function, and it is
called by function find_matching_endwhile.
There is possibility that an infinite loop occurs.
The vulnerability is same as the one fixed in
https://gerrit.asterisk.org/c/asterisk/+/8931
(ASTERISK-26570)
Comments:By: Asterisk Team (asteriskteam) 2019-10-07 08:54:01.383-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.
By: Benjamin Keith Ford (bford) 2019-10-07 09:24:19.964-0500

Have you seen an infinite loop as a result of this code? If so, what are your steps for reproducing it? It looks like the code will finish execution after going through all includes.
By: Yoooooo Ha (Yooooooha) 2019-10-07 09:30:18.849-0500

I am not sure about this possible bug. There is no PoC.
It was found by analyzing previous security patch.
Since the function is same as the one fixed in
https://gerrit.asterisk.org/c/asterisk/+/8931.

By: Benjamin Keith Ford (bford) 2019-10-08 08:10:57.809-0500

Would you like to work on this one as well? Both issues seem to have solutions already proposed.
By: Asterisk Team (asteriskteam) 2019-10-22 12:00:03.314-0500

Suspended due to lack of activity. This issue will be automatically re-opened if the reporter posts a comment. If you are not the reporter and would like this re-opened please create a new issue instead. If the new issue is related to this one a link will be created during the triage process. Further information on issue tracker usage can be found in the Asterisk Issue Guidlines [1].

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines