Asterisk
  1. Asterisk
  2. ASTERISK-29381

chan_pjsip: Remote denial of service by an authenticated user

    Details

    • Regression:
      Yes
    • PJSIP Bundled:
      Yes

      Description

      A remote party can provoke a crash of asterisk (18.3.0, 16.17.0, master) by sending a re-INVITE after asterisk has sent a BYE (and hasn't received a response to it).

      The issue was introduced in a commit fixing ASTERISK-28452 ("res_pjsip_session: Always produce offer on re-INVITE without SDP"). The new pjsip callback added in the commit (session_inv_on_create_offer) assumes that ast_sip_session always has a channel:

             ast_queue_unhold(session->channel);
      

      When session->channel is NULL, ast_queue_unhold(NULL) causes Asterisk to log a few assertion failures and crash.
      An example scenario is attached (configs + sipp + verbose console output).

      1. AST-2021-007.pdf
        40 kB
        Joshua C. Colp
      2. AST-2021-007-16.diff
        1 kB
        Joshua C. Colp
      3. AST-2021-007-18.diff
        1 kB
        Joshua C. Colp
      4. extensions.conf
        0.1 kB
        Ivan Poddubny
      5. pjsip.conf
        0.1 kB
        Ivan Poddubny
      6. test.sh
        0.1 kB
        Ivan Poddubny
      7. test.xml
        2 kB
        Ivan Poddubny
      8. verbose-crash.txt
        6 kB
        Ivan Poddubny

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Friendly Automation added a comment -

          Change 16202 merged by George Joseph:
          AST-2021-007 - res_pjsip_session: Don't offer if no channel exists.

          https://gerrit.asterisk.org/c/asterisk/+/16202

          Show
          Friendly Automation added a comment - Change 16202 merged by George Joseph: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. https://gerrit.asterisk.org/c/asterisk/+/16202
          Hide
          Friendly Automation added a comment -

          Change 16183 merged by Friendly Automation:
          AST-2021-007 - res_pjsip_session: Don't offer if no channel exists.

          https://gerrit.asterisk.org/c/asterisk/+/16183

          Show
          Friendly Automation added a comment - Change 16183 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. https://gerrit.asterisk.org/c/asterisk/+/16183
          Hide
          Friendly Automation added a comment -

          Change 16182 merged by Friendly Automation:
          AST-2021-007 - res_pjsip_session: Don't offer if no channel exists.

          https://gerrit.asterisk.org/c/asterisk/+/16182

          Show
          Friendly Automation added a comment - Change 16182 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. https://gerrit.asterisk.org/c/asterisk/+/16182
          Hide
          Friendly Automation added a comment -

          Change 16184 merged by Friendly Automation:
          AST-2021-007 - res_pjsip_session: Don't offer if no channel exists.

          https://gerrit.asterisk.org/c/asterisk/+/16184

          Show
          Friendly Automation added a comment - Change 16184 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. https://gerrit.asterisk.org/c/asterisk/+/16184
          Hide
          Friendly Automation added a comment -

          Change 16211 merged by Friendly Automation:
          AST-2021-007 - res_pjsip_session: Don't offer if no channel exists.

          https://gerrit.asterisk.org/c/asterisk/+/16211

          Show
          Friendly Automation added a comment - Change 16211 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. https://gerrit.asterisk.org/c/asterisk/+/16211

            People

            • Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: