[asterisk-bugs] [JIRA] (ASTERISK-26131) chan_sip: Crash Asterisk (in sip_request_call at chan_sip.c) by making a call to a single character in a dot pattern match

Rusty Newton (JIRA) noreply at issues.asterisk.org
Thu Aug 4 16:38:56 CDT 2016


     [ https://issues.asterisk.org/jira/browse/ASTERISK-26131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rusty Newton updated ASTERISK-26131:
------------------------------------

    Security:     (was: Reporter, Bug Marshals, and Digium)

> chan_sip: Crash Asterisk (in sip_request_call at chan_sip.c) by making a call to a single character in a dot pattern match
> --------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-26131
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26131
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Channels/chan_sip/General
>            Reporter: Dwayne Hubbard
>         Attachments: backtrace.txt, dw-asterisk-11.17.1-dnid-crash.patch, dw-asterisk-master-dnid-crash.patch, extensions.conf, full.txt, logger.conf, messages.txt, modules.conf, rtp.conf, sip.conf
>
>
> I believe I may have found a potential security issue in Asterisk 11.17.1, 13.6.0, as well as Asterisk GIT-master-7c59f21.  A soft phone user can crash Asterisk by making a call to a single character - '!' - which is stripped during DNID parsing resulting in an attempt to call AST_NONSTANDARD_APP_ARGS on an empty string.  I was able to reproduce this using Blink, Zoiper, and MicroSIP against Asterisk 11.17.1, 13.6.0, as well as the GIT master revision above.  Please see the attached patches for proposed fixes.  I have signed the Source Code License Agreement multiple times, most recently under username 'dwayne'.  Please let me know if there is anything else I can provide.
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list