[asterisk-bugs] [JIRA] (ASTERISK-24464) ICE Candidates Gathering causes abort in pjproject code due to too small network interface array size
Rusty Newton (JIRA)
noreply at issues.asterisk.org
Mon Nov 17 09:51:32 CST 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223221#comment-223221 ]
Rusty Newton edited comment on ASTERISK-24464 at 11/17/14 9:50 AM:
-------------------------------------------------------------------
Below is the requested backtrace with the sip address obfuscated, though it is now from 11.13.1 which shouldn't matter. With the array being to small Asterisk offers only IPv6 ICE candidates whereas the client offers only IPv4 ICE candidates thus there can't be any match.
Anyway there should be a way to limit the adresses asterisk offers, e.g. by 'iceallow' and 'icedeny' commands using the acl code. Offering all network addresses of a server can be an unwanted information leak showing possible points of attack either against the server itself or systems on the attached networks. Note that the addresses are easy to view when using e.g. "about:webrtc" in firefox.
[Edit by Rusty - removed abort trace and attached as abort_pjproject.txt]
was (Author: anstein):
Below is the requested backtrace with the sip address obfuscated, though it is now from 11.13.1 which shouldn't matter. With the array being to small Asterisk offers only IPv6 ICE candidates whereas the client offers only IPv4 ICE candidates thus there can't be any match.
Anyway there should be a way to limit the adresses asterisk offers, e.g. by 'iceallow' and 'icedeny' commands using the acl code. Offering all network addresses of a server can be an unwanted information leak showing possible points of attack either against the server itself or systems on the attached networks. Note that the addresses are easy to view when using e.g. "about:webrtc" in firefox.
asterisk: ../src/pjnath/ice_session.c:2022: pj_ice_sess_start_check: Assertion `ice->clist.count > 0' failed.
[Switching to Thread 0x7fff92a7c700 (LWP 8368)]
Breakpoint 1, 0x00007ffff78727d0 in abort () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff78727d0 in abort () from /lib64/libc.so.6
#1 0x00007ffff786aec4 in ?? () from /lib64/libc.so.6
#2 0x00007ffff786af6c in __assert_fail () from /lib64/libc.so.6
#3 0x00007fffa2ba0a6a in pj_ice_sess_start_check ()
from /usr/lib64/asterisk/modules/res_rtp_asterisk.so
#4 0x00007fffa2b89398 in ast_rtp_ice_start (instance=0x7fff60035378)
at res_rtp_asterisk.c:705
#5 0x00007fffaa6630da in start_ice (instance=0x7fff60035378, offer=0)
at chan_sip.c:12578
#6 0x00007fffaa65a822 in process_sdp (p=0x7fff60027688, req=0x7fff92a78e50,
t38action=1) at chan_sip.c:10500
#7 0x00007fffaa6a76c4 in handle_request_invite (p=0x7fff60027688,
req=0x7fff92a78e50, addr=0x7fff60016ef8, seqno=54357,
recount=0x7fff92a78dd0, e=0x7fff60026d7f "sip:XX at XXXXX.XXX.XXXXX.XX",
nounlock=0x7fff92a78dd4) at chan_sip.c:25550
#8 0x00007fffaa6b3f33 in handle_incoming (p=0x7fff60027688,
req=0x7fff92a78e50, addr=0x7fff60016ef8, recount=0x7fff92a78dd0,
nounlock=0x7fff92a78dd4) at chan_sip.c:28297
#9 0x00007fffaa6b4ab1 in handle_request_do (req=0x7fff92a78e50,
addr=0x7fff60016ef8) at chan_sip.c:28506
#10 0x00007fffaa637951 in sip_websocket_callback (session=0x7fff60016ee8,
parameters=0x0, headers=0x7fff60015c30) at chan_sip.c:2612
#11 0x00007ffff23c0e14 in websocket_callback (ser=0x7fffcc0019f8,
urih=0x7ffff25c3240 <websocketuri>, uri=0x7fff92a79c97 "",
method=AST_HTTP_GET, get_vars=0x0, headers=0x7fff60015c30)
at res_http_websocket.c:676
#12 0x00000000004fafc1 in handle_uri (ser=0x7fffcc0019f8,
uri=0x7fff92a79c97 "", method=AST_HTTP_GET, headers=0x7fff60015c30)
at http.c:754
#13 0x00000000004fb632 in httpd_helper_thread (data=0x7fffcc0019f8)
at http.c:991
#14 0x00000000005914e4 in handle_tcptls_connection (data=0x7fffcc0019f8)
at tcptls.c:684
#15 0x00000000005a4015 in dummy_start (data=0x7fffcc002700) at utils.c:1192
#16 0x00007ffff6221f70 in start_thread () from /lib64/libpthread.so.0
#17 0x00007ffff791f14d in clone () from /lib64/libc.so.6
> ICE Candidates Gathering causes abort in pjproject code due to too small network interface array size
> -----------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-24464
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24464
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_rtp_asterisk
> Affects Versions: 11.13.0
> Environment: Linux
> Reporter: Andreas Steinmetz
> Assignee: Matt Jordan
> Attachments: abort_pjproject.txt, ice-candidates-length.patch
>
>
> The array size for network gathering for the ice candidates list is too small (16). This can cause the required candidates not to be included which lateron triggers a pjproject abort.
> Thinking of VLANs and that every network interface has typically at least two addresses an array size of 64 seems to be more reasonable.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list