[asterisk-bugs] [JIRA] (ASTERISK-25796) res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES

Rusty Newton (JIRA) noreply at issues.asterisk.org
Fri Nov 18 13:04:10 CST 2016 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-25796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=233821#comment-233821 ] 

Rusty Newton edited comment on ASTERISK-25796 at 11/18/16 1:02 PM:
-------------------------------------------------------------------

Hello,

This isnt fixed in pjsip 2.5.5 nor trunk
More than ~60 tcp connections and server crashes on line 363 / assertion in pjlib/src/pj/ioqueue_select.c
Is this the wrong place to report pjsip-issues perhaps ?
{noformat}
#0  0x00007f4e8a59d578 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f4e8a59e9fa in __GI_abort () at abort.c:89
#2  0x00007f4e8a596427 in __assert_fail_base (fmt=<optimized out>, assertion=assertion at entry=0x7f4e1d9cd938 "!pj_list_empty(&ioqueue->free_list)", 
    file=file at entry=0x7f4e1d9cd660 "../src/pj/ioqueue_select.c", line=line at entry=363, 
    function=function at entry=0x7f4e1d9cd9f0 <__PRETTY_FUNCTION__.6416> "pj_ioqueue_register_sock2") at assert.c:92
#3  0x00007f4e8a5964d2 in __GI___assert_fail (assertion=0x7f4e1d9cd938 "!pj_list_empty(&ioqueue->free_list)", file=0x7f4e1d9cd660 "../src/pj/ioqueue_select.c", line=363, 
    function=0x7f4e1d9cd9f0 <__PRETTY_FUNCTION__.6416> "pj_ioqueue_register_sock2") at assert.c:101
#4  0x00007f4e1d9bb526 in pj_ioqueue_register_sock2 () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#5  0x00007f4e1d9bf6bc in pj_activesock_create () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#6  0x00007f4e1f9a8a7c in tcp_create.constprop () from /usr/app/asterisk/14.1.1/lib/libpjsip.so.2
#7  0x00007f4e1f9a8fb7 in on_accept_complete () from /usr/app/asterisk/14.1.1/lib/libpjsip.so.2
#8  0x00007f4e1d9bf06f in ioqueue_on_accept_complete () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#9  0x00007f4e1d9ba123 in ioqueue_dispatch_read_event () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#10 0x00007f4e1d9bba3f in pj_ioqueue_poll () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#11 0x00007f4e1f99d9cb in pjsip_endpt_handle_events2 () from /usr/app/asterisk/14.1.1/lib/libpjsip.so.2
#12 0x00007f4e1c59fe68 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4017
#13 0x00007f4e1d9bcc0a in thread_main () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#14 0x00007f4e8aeac434 in start_thread (arg=0x7f4e1691b700) at pthread_create.c:334
#15 0x00007f4e8a6530ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
{noformat}


was (Author: jorgen):
Hello,

This isnt fixed in pjsip 2.5.5 nor trunk
More than ~60 tcp connections and server crashes on line 363 / assertion in pjlib/src/pj/ioqueue_select.c
Is this the wrong place to report pjsip-issues perhaps ?

#0  0x00007f4e8a59d578 in __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:55
#1  0x00007f4e8a59e9fa in __GI_abort () at abort.c:89
#2  0x00007f4e8a596427 in __assert_fail_base (fmt=<optimized out>, assertion=assertion at entry=0x7f4e1d9cd938 "!pj_list_empty(&ioqueue->free_list)", 
    file=file at entry=0x7f4e1d9cd660 "../src/pj/ioqueue_select.c", line=line at entry=363, 
    function=function at entry=0x7f4e1d9cd9f0 <__PRETTY_FUNCTION__.6416> "pj_ioqueue_register_sock2") at assert.c:92
#3  0x00007f4e8a5964d2 in __GI___assert_fail (assertion=0x7f4e1d9cd938 "!pj_list_empty(&ioqueue->free_list)", file=0x7f4e1d9cd660 "../src/pj/ioqueue_select.c", line=363, 
    function=0x7f4e1d9cd9f0 <__PRETTY_FUNCTION__.6416> "pj_ioqueue_register_sock2") at assert.c:101
#4  0x00007f4e1d9bb526 in pj_ioqueue_register_sock2 () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#5  0x00007f4e1d9bf6bc in pj_activesock_create () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#6  0x00007f4e1f9a8a7c in tcp_create.constprop () from /usr/app/asterisk/14.1.1/lib/libpjsip.so.2
#7  0x00007f4e1f9a8fb7 in on_accept_complete () from /usr/app/asterisk/14.1.1/lib/libpjsip.so.2
#8  0x00007f4e1d9bf06f in ioqueue_on_accept_complete () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#9  0x00007f4e1d9ba123 in ioqueue_dispatch_read_event () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#10 0x00007f4e1d9bba3f in pj_ioqueue_poll () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#11 0x00007f4e1f99d9cb in pjsip_endpt_handle_events2 () from /usr/app/asterisk/14.1.1/lib/libpjsip.so.2
#12 0x00007f4e1c59fe68 in monitor_thread_exec (endpt=<optimized out>) at res_pjsip.c:4017
#13 0x00007f4e1d9bcc0a in thread_main () from /usr/app/asterisk/14.1.1/lib/libpj.so.2
#14 0x00007f4e8aeac434 in start_thread (arg=0x7f4e1691b700) at pthread_create.c:334
#15 0x00007f4e8a6530ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109


> res_pjsip: DOS/Crash when TCP/TLS sockets exceed pjproject PJ_IOQUEUE_MAX_HANDLES
> ---------------------------------------------------------------------------------
>
>                 Key: ASTERISK-25796
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25796
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_pjsip
>    Affects Versions: SVN, 13.7.2
>            Reporter: George Joseph
>              Labels: Security
>      Target Release: 13.8.1, 13.9.0, 14.0.0
>
>         Attachments: bt_full.txt, options.xml, transport_management.diff
>
>
> pjproject's default PJ_IOQUEUE_MAX_HANDLES is set to 64. If an attempt is made to open more than that (actually MAX_HANDLES - 4) and pjproject was compiled without NDEBUG, pjproject will assert with "../src/pj/ioqueue_select.c:352: pj_ioqueue_register_sock2: Assertion `!pj_list_empty(&ioqueue->free_list)' failed." and Asterisk will die.  If pjproject WAS compiled with NDEBUG, then you can easily keep 60 sockets open and prevent Asterisk from performing any new TCP/TLS transactions.  You do NOT need to be authenticated to trigger the scenario.
> To reproduce the crash...
> Compile pjproject without NDEBUG.
> Create a TCP transport, endpoint and aor with default settings.
> Using the attached options.xml run 2 instances of sipp.  You have to run 2 and start them quick because sipp terminates when the remote end closes the listener.
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 61 -r 30 -max_socket 200 -bg
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 61 -r 30 -max_socket 200 -bg
> To reproduce the DOS...
> Compile pjproject with or without NDEBUG.
> Create a TCP transport, endpoint and aor with default settings.
> $ sipp -sf options.xml <server> -s <endpoint> -t tn -m 60 -r 30 -max_socket 200
> You will not be able to initiate any new transactions



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list