ASTERISK-29872: res_stir_shaken: Resource exhaustion with large files

[Home]

Summary: ASTERISK-29872: res_stir_shaken: Resource exhaustion with large files

Reporter: Benjamin Keith Ford (bford) Labels: security

Date Opened: 2022-01-21 11:57:45.000-0600 Date Closed: 2022-04-14 13:30:15

Priority: Blocker Regression?

Status: Closed/Complete Components: Resources/res_stir_shaken

Versions: 16.23.0 18.9.0 19.1.0 Frequency of
Occurrence

Related
Issues:

Environment: Attachments:

Description: When we receive a SIP INVITE that has an Identity header, we attempt to download the certificate if stir_shaken is enabled. However, we don't have any checks in place to ensure that the file is not too large and that the file is actually a certificate.

Comments: By: Asterisk Team (asteriskteam) 2022-01-21 11:57:46.122-0600

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue.
By: Friendly Automation (friendly-automation) 2022-04-14 13:30:16.421-0500

Change 18379 merged by Friendly Automation:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18379|https://gerrit.asterisk.org/c/asterisk/+/18379]
By: Friendly Automation (friendly-automation) 2022-04-14 14:29:14.116-0500

Change 18393 merged by Michael Bradeen:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18393|https://gerrit.asterisk.org/c/asterisk/+/18393]
By: Friendly Automation (friendly-automation) 2022-04-14 14:35:26.324-0500

Change 18392 merged by Michael Bradeen:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18392|https://gerrit.asterisk.org/c/asterisk/+/18392]
By: Friendly Automation (friendly-automation) 2022-04-14 14:35:44.057-0500

Change 18391 merged by Michael Bradeen:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18391|https://gerrit.asterisk.org/c/asterisk/+/18391]
By: Friendly Automation (friendly-automation) 2022-04-14 14:54:57.707-0500

Change 18401 merged by Friendly Automation:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18401|https://gerrit.asterisk.org/c/asterisk/+/18401]
By: Friendly Automation (friendly-automation) 2022-04-14 15:13:38.041-0500

Change 18402 merged by Friendly Automation:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18402|https://gerrit.asterisk.org/c/asterisk/+/18402]
By: Friendly Automation (friendly-automation) 2022-04-14 16:56:57.492-0500

Change 18378 merged by Joshua Colp:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18378|https://gerrit.asterisk.org/c/asterisk/+/18378]
By: Friendly Automation (friendly-automation) 2022-04-14 16:57:10.696-0500

Change 18400 merged by Joshua Colp:
AST-2022-001 - res_stir_shaken/curl: Limit file size and check start.

[https://gerrit.asterisk.org/c/asterisk/+/18400|https://gerrit.asterisk.org/c/asterisk/+/18400]