Details
Description
A remote party can provoke a crash of asterisk (18.3.0, 16.17.0, master) by sending a re-INVITE after asterisk has sent a BYE (and hasn't received a response to it).
The issue was introduced in a commit fixing ASTERISK-28452 ("res_pjsip_session: Always produce offer on re-INVITE without SDP"). The new pjsip callback added in the commit (session_inv_on_create_offer) assumes that ast_sip_session always has a channel:
ast_queue_unhold(session->channel);
When session->channel is NULL, ast_queue_unhold(NULL) causes Asterisk to log a few assertion failures and crash.
An example scenario is attached (configs + sipp + verbose console output).
Issue Links
- is a clone of
-
SWP-11469 Loading...
This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.
Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue.