[asterisk-bugs] [JIRA] (ASTERISK-26897) chan_sip: Security vulnerability with client code header
George Joseph (JIRA)
noreply at issues.asterisk.org
Wed Aug 2 10:09:12 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-26897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
George Joseph updated ASTERISK-26897:
-------------------------------------
Target Release Version/s: 15.0.0
> chan_sip: Security vulnerability with client code header
> --------------------------------------------------------
>
> Key: ASTERISK-26897
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26897
> Project: Asterisk
> Issue Type: Bug
> Components: Channels/chan_sip/General
> Affects Versions: 13.14.0, 14.3.0
> Reporter: Alex Villacís Lasso
> Assignee: Kevin Harwell
> Target Release: 13.14.1, 13.15.0, 13.16.0, 14.3.1, 14.4.0, 14.5.0, 15.0.0
>
> Attachments: 0001-CDR-Protect-from-data-overflow-in-ast_cdr_setuserfie.patch
>
>
> While studying the channels/chan_sip.c from the Asterisk 13 branch I
> found suspicious code that might enable a buffer overflow on reception
> of a SIP INFO packet.
> In channels/chan_sip.c the function handle_request_info() contains the
> following code:
> {noformat}
> } else if (!ast_strlen_zero(c = sip_get_header(req,
> "X-ClientCode"))) {
> /* Client code (from SNOM phone) */
> if (ast_test_flag(&p->flags[0], SIP_USECLIENTCODE)) {
> if (p->owner) {
> ast_cdr_setuserfield(ast_channel_name(p->owner), c);
> }
> transmit_response(p, "200 OK", req);
> } else {
> transmit_response(p, "403 Forbidden", req);
> }
> return;
> {noformat}
> This code gets the content of the X-ClientCode header, and if the
> useclientcode has been enabled for the account, calls
> ast_cdr_setuserfield with the supplied value. In turn, ast_cdr_userfield
> contains the following:
> {noformat}
> if (cdr) {
> ao2_lock(cdr);
> for (it_cdr = cdr; it_cdr; it_cdr = it_cdr->next) {
> if (it_cdr->fn_table == &finalized_state_fn_table) {
> continue;
> }
> strcpy(it_cdr->party_a.userfield, userfield);
> }
> ao2_unlock(cdr);
> }
> {noformat}
> The strcpy() call has as a target a char array with a fixed size of 256
> bytes. No length validation is apparent from the code.
> What exactly prevents a malicious remote client from sending a header
> that exceeds 256 bytes and overwrites the CDR userfield and whatever
> lies beyond it?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list