[Home]

Summary:ASTERISK-29057: pjsip: Crash on call rejection during high load
Reporter:Sandro Gauci (sandrogauci)Labels:patch security
Date Opened:2020-08-31 09:32:41Date Closed:2020-11-06 22:06:06.000-0600
Priority:BlockerRegression?No
Status:Closed/CompleteComponents:pjproject/pjsip
Versions:13.35.0 16.12.0 17.6.0 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) AST-2020-001.pdf
( 1) ASTERISK-29057-16.diff
( 2) backtrace.txt
( 3) security.txt
Description:This is a crash within PJSIP whereby under heavy load the INVITE transaction on an INVITE session may not be set when sending a response, resulting in a crash.
Comments:By: Asterisk Team (asteriskteam) 2020-08-31 09:32:52.019-0500

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

By: Sandro Gauci (sandrogauci) 2020-10-07 22:26:45.707-0500

Let us know if you have any updates, we'll be happy to test a fix from our side.

By: Joshua C. Colp (jcolp) 2020-10-08 03:36:36.393-0500

A fix is still being worked on, there's no updates currently.

By: Sandro Gauci (sandrogauci) 2020-10-08 03:53:59.018-0500

no problem - thanks Joshua

By: Kevin Harwell (kharwell) 2020-10-29 11:45:16.287-0500

I've attach [^ASTERISK-29057-16.diff] that should resolve this issue. The patch is against the Asterisk 16 branch. If you need another version let me know.

Our testing has shown the patch does indeed resolve the issue reported here, but it also may have uncovered another issue. We are still investigating that.

Please test the patch to ensure it resolves this issue, and let us know if you run into any other problems.

Thanks!

By: Kevin Harwell (kharwell) 2020-10-29 11:49:21.191-0500

Also, I've attached [^AST-2020-001.pdf] for your review, which is a draft of the document that'll be published at release time.

Dates, and CVE to be filled in later, but if you see anything you feel needs more clarification please let me know.

Thanks!

By: Sandro Gauci (sandrogauci) 2020-10-29 23:12:54.496-0500

Thanks Kevin! We'll test (probably next week) and get back to you. Do let me know if there are updates to the patch

By: Sandro Gauci (sandrogauci) 2020-11-04 00:19:48.086-0600

Hello Kevin, thanks for the patch. We have tested it and are unable to reproduce the crashes that were previously observed. I think the issue has been fixed. Indeed there may be other problems as we are seeing 503s but still need to investigate. One issue at a time :-)

As for AST-2020-001.pdf - thanks for that. We would disagree with the susceptibility being necessarily "Remote authenticated sessions" since this is dependent on configuration. But you do in fact highlight this in the description. So, it's probably clear enough for those who have such configuration.

Do you have a release date yet?

By: Kevin Harwell (kharwell) 2020-11-04 15:28:57.680-0600

Hi Sandro,

Thanks for testing out the patch, and confirming it fixed things. It's much appreciated.
{quote}
Do you have a release date yet?
{quote}
The plan is to release it tomorrow, November 5, 2020 if there are no other delays.

By: Sandro Gauci (sandrogauci) 2020-11-04 21:53:20.343-0600

Hi Kevin, thanks for the answers! Best wishes,

Sandro

By: Friendly Automation (friendly-automation) 2020-11-05 11:03:48.567-0600

Change 15162 merged by Kevin Harwell:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15162|https://gerrit.asterisk.org/c/asterisk/+/15162]

By: Friendly Automation (friendly-automation) 2020-11-05 11:04:04.288-0600

Change 15163 merged by Kevin Harwell:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15163|https://gerrit.asterisk.org/c/asterisk/+/15163]

By: Friendly Automation (friendly-automation) 2020-11-05 11:53:42.444-0600

Change 15164 merged by George Joseph:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15164|https://gerrit.asterisk.org/c/asterisk/+/15164]

By: Friendly Automation (friendly-automation) 2020-11-05 11:54:11.742-0600

Change 15165 merged by George Joseph:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15165|https://gerrit.asterisk.org/c/asterisk/+/15165]

By: Friendly Automation (friendly-automation) 2020-11-05 14:18:31.304-0600

Change 15166 merged by George Joseph:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15166|https://gerrit.asterisk.org/c/asterisk/+/15166]

By: Friendly Automation (friendly-automation) 2020-11-05 14:19:35.067-0600

Change 15167 merged by George Joseph:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15167|https://gerrit.asterisk.org/c/asterisk/+/15167]

By: Friendly Automation (friendly-automation) 2020-11-05 14:58:34.626-0600

Change 15151 merged by Kevin Harwell:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15151|https://gerrit.asterisk.org/c/asterisk/+/15151]

By: Friendly Automation (friendly-automation) 2020-11-05 14:58:57.938-0600

Change 15153 merged by Kevin Harwell:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15153|https://gerrit.asterisk.org/c/asterisk/+/15153]

By: Friendly Automation (friendly-automation) 2020-11-05 14:59:17.304-0600

Change 15154 merged by Kevin Harwell:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15154|https://gerrit.asterisk.org/c/asterisk/+/15154]

By: Friendly Automation (friendly-automation) 2020-11-05 14:59:32.987-0600

Change 15155 merged by Kevin Harwell:
AST-2020-001 - res_pjsip: Return dialog locked and referenced

[https://gerrit.asterisk.org/c/asterisk/+/15155|https://gerrit.asterisk.org/c/asterisk/+/15155]

By: Kevin Harwell (kharwell) 2020-11-06 12:39:33.767-0600

CVE received, and docs updated:

CVE-2020-28327

I've put in a request for publication of the CVE. It might take a few days for it to sync up and be made public though.

Any further updates can't be viewed here: http://downloads.asterisk.org/pub/security/AST-2020-001.html

By: Sandro Gauci (sandrogauci) 2020-11-06 22:03:04.367-0600

Thanks for the notice. We put the CVE up on our advisory too now.

By: Asterisk Team (asteriskteam) 2020-11-06 22:03:04.960-0600

This issue has been reopened as a result of your commenting on it as the reporter. It will be triaged once again as applicable.