[asterisk-bugs] [JIRA] (ASTERISK-27152) Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash
Kevin Harwell (JIRA)
noreply at issues.asterisk.org
Thu Aug 31 14:30:09 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-27152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Harwell updated ASTERISK-27152:
-------------------------------------
Security: (was: Reporter, Bug Marshals, and Digium)
> Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash
> -------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-27152
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27152
> Project: Asterisk
> Issue Type: Bug
> Affects Versions: 13.15.0, 14.4.0
> Reporter: Ross Beer
> Severity: Critical
> Labels: Security
> Target Release: 13.17.1, 14.6.1
>
>
> Easily reproducable. Send any message to asterisk with "From: tel:+1000" in the headers.
> The crash is in pjsip_message_ip_updater.c:sanitize_tdata. When we respond with even a 401, that function is called but it assumes that the From, To, and Contact uris are sip uris and casts the header's URI to {{pjsip_sip_uri *uri}}. It then tries to call pjsip_param_find on {{uri->other_param}}. Since the uri is actually a tel uri and {{other_param}} isn't at the same offset in {{pjsip_sip_uri}} as it is in {{pjsip_tel_uri}}, we get a crash.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list