[asterisk-bugs] [JIRA] (ASTERISK-26897) chan_sip: Security vulnerability with client code header

Joshua Colp (JIRA) noreply at issues.asterisk.org
Tue Apr 4 09:43:58 CDT 2017 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-26897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua Colp updated ASTERISK-26897:
-----------------------------------

    Security:     (was: Reporter, Bug Marshals, and Digium)

> chan_sip: Security vulnerability with client code header
> --------------------------------------------------------
>
>                 Key: ASTERISK-26897
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26897
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Channels/chan_sip/General
>    Affects Versions: 13.14.0, 14.3.0
>            Reporter: Alex Villacís Lasso
>            Assignee: Kevin Harwell
>      Target Release: 13.14.1, 14.3.1
>
>         Attachments: 0001-CDR-Protect-from-data-overflow-in-ast_cdr_setuserfie.patch
>
>
> While studying the channels/chan_sip.c from the Asterisk 13 branch I
> found suspicious code that might enable a buffer overflow on reception
> of a SIP INFO packet.
> In channels/chan_sip.c the function handle_request_info() contains the
> following code:
> {noformat}
>      } else if (!ast_strlen_zero(c = sip_get_header(req,
>      "X-ClientCode"))) {
>          /* Client code (from SNOM phone) */
>          if (ast_test_flag(&p->flags[0], SIP_USECLIENTCODE)) {
>              if (p->owner) {
> ast_cdr_setuserfield(ast_channel_name(p->owner), c);
>              }
>              transmit_response(p, "200 OK", req);
>          } else {
>              transmit_response(p, "403 Forbidden", req);
>          }
>          return;
> {noformat}
> This code gets the content of the X-ClientCode header, and if the
> useclientcode has been enabled for the account, calls
> ast_cdr_setuserfield with the supplied value. In turn, ast_cdr_userfield
> contains the following:
> {noformat}
>      if (cdr) {
>          ao2_lock(cdr);
>          for (it_cdr = cdr; it_cdr; it_cdr = it_cdr->next) {
>              if (it_cdr->fn_table == &finalized_state_fn_table) {
>                  continue;
>              }
>              strcpy(it_cdr->party_a.userfield, userfield);
>          }
>          ao2_unlock(cdr);
>      }
> {noformat}
> The strcpy() call has as a target a char array with a fixed size of 256
> bytes. No length validation is apparent from the code.
> What exactly prevents a malicious remote client from sending a header
> that exceeds 256 bytes and overwrites the CDR userfield and whatever
> lies beyond it?



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list