[asterisk-bugs] [JIRA] (ASTERISK-25796) res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES

Joshua Colp (JIRA) noreply at issues.asterisk.org
Fri Nov 18 05:14:10 CST 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=233822#comment-233822 ] 

Joshua Colp commented on ASTERISK-25796:
----------------------------------------

[~jorgen] Please open a new issue and clarify how you have built PJSIP. If you are not using bundled it is entirely possible that your built PJSIP does not follow recommendations which would not have the same problem.

> res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES
> ---------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25796
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25796
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_pjsip
>    Affects Versions: SVN, 13.7.2
>            Reporter: George Joseph
>              Labels: Security
>      Target Release: 13.8.1, 13.9.0, 14.0.0
>
>         Attachments: bt_full.txt, options.xml, transport_management.diff
>
>
> pjproject's default PJ_IOQUEUE_MAX_HANDLES is set to 64. If an attempt is made to open more than that (actually MAX_HANDLES - 4) and pjproject was compiled without NDEBUG, pjproject will assert with "../src/pj/ioqueue_select.c:352: pj_ioqueue_register_sock2: Assertion `!pj_list_empty(&ioqueue->free_list)' failed." and Asterisk will die.  If pjproject WAS compiled with NDEBUG, then you can easily keep 60 sockets open and prevent Asterisk from performing any new TCP/TLS transactions.  You do NOT need to be authenticated to trigger the scenario.
> To reproduce the crash...
> Compile pjproject without NDEBUG.
> Create a TCP transport, endpoint and aor with default settings.
> Using the attached options.xml run 2 instances of sipp.  You have to run 2 and start them quick because sipp terminates when the remote end closes the listener.
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 61 -r 30 -max_socket 200 -bg
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 61 -r 30 -max_socket 200 -bg
> To reproduce the DOS...
> Compile pjproject with or without NDEBUG.
> Create a TCP transport, endpoint and aor with default settings.
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 60 -r 30 -max_socket 200
> You will not be able to initiate any new transactions



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list