[asterisk-bugs] [JIRA] (ASTERISK-27279) Crash in pubsub_on_rx_request NULL pointer - Possible PJSIP Vulnerability

Friendly Automation (JIRA) noreply at issues.asterisk.org
Wed Sep 20 08:14:10 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=238792#comment-238792 ] 

Friendly Automation commented on ASTERISK-27279:
------------------------------------------------

Change 6539 merged by Joshua Colp:
res_pjsip_pubsub:  Check for Content-Type header in rx_notify_request

[https://gerrit.asterisk.org/6539|https://gerrit.asterisk.org/6539]

> Crash in pubsub_on_rx_request NULL pointer - Possible PJSIP Vulnerability
> -------------------------------------------------------------------------
>
>                 Key: ASTERISK-27279
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27279
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_pubsub
>    Affects Versions: GIT
>         Environment: Fedora 23
>            Reporter: Ross Beer
>            Assignee: George Joseph
>         Attachments: core-asterisk-3091-1505826693-thread1.txt, core-asterisk-3252-1505826711-thread1.txt, core-asterisk-3370-1505826727-thread1.txt, core-asterisk-3479-1505826761-thread1.txt, core-asterisk-3598-1505826778-thread1.txt
>
>
> Crash when receiving a SUBSCRIBE request with no content type.
> {noformat}
> #0  0x00007f8a3598d1a2 in pj_stricmp (str1=0x0, str2=0x7f89a9e3aab0) at ../include/pj/string_i.h:216
> #1  0x00007f8a3598d2b1 in pj_stricmp2 (str1=0x0, str2=0x7f89bab14f5e "application") at ../include/pj/string_i.h:315
>         copy2 = {ptr = 0x7f89bab14f5e "application", slen = 11}
> #2  0x00007f89bab1226f in pubsub_on_rx_request (rdata=0x7f88ec0688d8) at res_pjsip_pubsub.c:3589
>         rdata = 0x7f88ec0688d8
> #3  0x00007f89bab1226f in pubsub_on_rx_request (rdata=0x7f88ec0688d8) at res_pjsip_pubsub.c:3603
>         rdata = 0x7f88ec0688d8
> {noformat}
> The segfault is caused by a NULL pointer in the following method:
> {noformat}
> static pj_bool_t pubsub_on_rx_notify_request(pjsip_rx_data *rdata)
> {
> 	if (pj_stricmp2(&rdata->msg_info.msg->body->content_type.type, "application") == 0 &&
> 		pj_stricmp2(&rdata->msg_info.msg->body->content_type.subtype, "simple-message-summary") == 0) {
> 		return pubsub_on_rx_mwi_notify_request(rdata);
> 	}
> 	return PJ_FALSE;
> }
> {noformat}
> I would have expected PJSIP to have rejected the request due to the lack of content type however it appears to have passed without issue.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list