[asterisk-bugs] [JIRA] (ASTERISK-26131) chan_sip: Crash Asterisk (in sip_request_call at chan_sip.c) by making a call to a single character in a dot pattern match
Rusty Newton (JIRA)
noreply at issues.asterisk.org
Thu Aug 4 16:38:56 CDT 2016
[ https://issues.asterisk.org/jira/browse/ASTERISK-26131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rusty Newton updated ASTERISK-26131:
------------------------------------
Security: (was: Reporter, Bug Marshals, and Digium)
> chan_sip: Crash Asterisk (in sip_request_call at chan_sip.c) by making a call to a single character in a dot pattern match
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-26131
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26131
> Project: Asterisk
> Issue Type: Bug
> Components: Channels/chan_sip/General
> Reporter: Dwayne Hubbard
> Attachments: backtrace.txt, dw-asterisk-11.17.1-dnid-crash.patch, dw-asterisk-master-dnid-crash.patch, extensions.conf, full.txt, logger.conf, messages.txt, modules.conf, rtp.conf, sip.conf
>
>
> I believe I may have found a potential security issue in Asterisk 11.17.1, 13.6.0, as well as Asterisk GIT-master-7c59f21. A soft phone user can crash Asterisk by making a call to a single character - '!' - which is stripped during DNID parsing resulting in an attempt to call AST_NONSTANDARD_APP_ARGS on an empty string. I was able to reproduce this using Blink, Zoiper, and MicroSIP against Asterisk 11.17.1, 13.6.0, as well as the GIT master revision above. Please see the attached patches for proposed fixes. I have signed the Source Code License Agreement multiple times, most recently under username 'dwayne'. Please let me know if there is anything else I can provide.
> Thanks!
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list