| Summary: | ASTERISK-29381: chan_pjsip: Remote denial of service by an authenticated user | ||
| Reporter: | Ivan Poddubny (ipoddubny) | Labels: | patch security |
| Date Opened: | 2021-04-06 16:39:32 | Date Closed: | 2021-07-22 15:12:19 |
| Priority: | Blocker | Regression? | Yes |
| Status: | Closed/Complete | Components: | Resources/res_pjsip_session |
| Versions: | 16.17.0 18.3.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) AST-2021-007.pdf ( 1) AST-2021-007-16.diff ( 2) AST-2021-007-18.diff ( 3) extensions.conf ( 4) pjsip.conf ( 5) test.sh ( 6) test.xml ( 7) verbose-crash.txt | |
| Description: | A remote party can provoke a crash of asterisk (18.3.0, 16.17.0, master) by sending a re-INVITE after asterisk has sent a BYE (and hasn't received a response to it).
The issue was introduced in a commit fixing ASTERISK-28452 ("res_pjsip_session: Always produce offer on re-INVITE without SDP"). The new pjsip callback added in the commit (session_inv_on_create_offer) assumes that ast_sip_session always has a channel: {code} ast_queue_unhold(session->channel); {code} When {{session->channel}} is NULL, {{ast_queue_unhold(NULL)}} causes Asterisk to log a few assertion failures and crash. An example scenario is attached (configs + sipp + verbose console output). | ||
| Comments: | By: Asterisk Team (asteriskteam) 2021-04-06 16:39:34.592-0500 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue. By: Asterisk Team (asteriskteam) 2021-04-06 16:39:35.564-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Kevin Harwell (kharwell) 2021-04-09 10:40:13.773-0500 Thanks for the report, and for the scenario in which to easily duplicate. By: Joshua C. Colp (jcolp) 2021-04-30 08:24:22.774-0500 I've attached the patches and security advisory if you'd like them or want to take a look. Please do not disclose or release them. I do not have a timeframe yet on a release with this, as another security issue is in queue. Once this changes then I will update this issue. By: Ivan Poddubny (ipoddubny) 2021-04-30 11:34:27.356-0500 I made the same change in the code (didn't submit it because I wasn't sure the fix is correct), the patched version works well. By: Friendly Automation (friendly-automation) 2021-07-22 15:12:20.041-0500 Change 16201 merged by George Joseph: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. [https://gerrit.asterisk.org/c/asterisk/+/16201|https://gerrit.asterisk.org/c/asterisk/+/16201] By: Friendly Automation (friendly-automation) 2021-07-22 15:12:43.348-0500 Change 16202 merged by George Joseph: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. [https://gerrit.asterisk.org/c/asterisk/+/16202|https://gerrit.asterisk.org/c/asterisk/+/16202] By: Friendly Automation (friendly-automation) 2021-07-22 15:19:20.878-0500 Change 16183 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. [https://gerrit.asterisk.org/c/asterisk/+/16183|https://gerrit.asterisk.org/c/asterisk/+/16183] By: Friendly Automation (friendly-automation) 2021-07-22 15:19:23.461-0500 Change 16182 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. [https://gerrit.asterisk.org/c/asterisk/+/16182|https://gerrit.asterisk.org/c/asterisk/+/16182] By: Friendly Automation (friendly-automation) 2021-07-22 15:19:47.251-0500 Change 16184 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. [https://gerrit.asterisk.org/c/asterisk/+/16184|https://gerrit.asterisk.org/c/asterisk/+/16184] By: Friendly Automation (friendly-automation) 2021-07-23 08:23:14.267-0500 Change 16211 merged by Friendly Automation: AST-2021-007 - res_pjsip_session: Don't offer if no channel exists. [https://gerrit.asterisk.org/c/asterisk/+/16211|https://gerrit.asterisk.org/c/asterisk/+/16211] | ||