[asterisk-bugs] [JIRA] (ASTERISK-25796) res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Thu Apr 14 17:27:57 CDT 2016 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-25796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Harwell updated ASTERISK-25796:
-------------------------------------

    Security:     (was: Reporter, Bug Marshals, and Digium)

> res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES
> ---------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25796
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25796
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_pjsip
>    Affects Versions: SVN, 13.7.2
>            Reporter: George Joseph
>              Labels: Security
>      Target Release: 13.8.1
>
>         Attachments: bt_full.txt, options.xml, transport_management.diff
>
>
> pjproject's default PJ_IOQUEUE_MAX_HANDLES is set to 64. If an attempt is made to open more than that (actually MAX_HANDLES - 4) and pjproject was compiled without NDEBUG, pjproject will assert with "../src/pj/ioqueue_select.c:352: pj_ioqueue_register_sock2: Assertion `!pj_list_empty(&ioqueue->free_list)' failed." and Asterisk will die.  If pjproject WAS compiled with NDEBUG, then you can easily keep 60 sockets open and prevent Asterisk from performing any new TCP/TLS transactions.  You do NOT need to be authenticated to trigger the scenario.
> To reproduce the crash...
> Compile pjproject without NDEBUG.
> Create a TCP transport, endpoint and aor with default settings.
> Using the attached options.xml run 2 instances of sipp.  You have to run 2 and start them quick because sipp terminates when the remote end closes the listener.
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 61 -r 30 -max_socket 200 -bg
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 61 -r 30 -max_socket 200 -bg
> To reproduce the DOS...
> Compile pjproject with or without NDEBUG.
> Create a TCP transport, endpoint and aor with default settings.
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 60 -r 30 -max_socket 200
> You will not be able to initiate any new transactions



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list