[asterisk-bugs] [JIRA] (ASTERISK-27152) Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash

Asterisk Team (JIRA) noreply at issues.asterisk.org
Wed Aug 8 10:23:05 CDT 2018


     [ https://issues.asterisk.org/jira/browse/ASTERISK-27152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-27152:
-------------------------------------

    Target Release Version/s: 16.0.0

> Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash
> -------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-27152
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27152
>             Project: Asterisk
>          Issue Type: Bug
>    Affects Versions: 13.15.0, 14.4.0
>            Reporter: Ross Beer
>            Severity: Critical
>              Labels: Security
>      Target Release: 13.17.1, 13.18.0, 14.6.1, 14.7.0, 15.0.0, 15.1.0, 16.0.0
>
>
> Easily reproducable.  Send any message to asterisk with "From: tel:+1000" in the headers.
> The crash is in pjsip_message_ip_updater.c:sanitize_tdata.   When we respond with even a 401, that function is called but it assumes that the From, To, and Contact uris are sip uris and casts the header's URI to {{pjsip_sip_uri *uri}}.  It then tries to call pjsip_param_find on {{uri->other_param}}.   Since the uri is actually a tel uri and {{other_param}} isn't at the same offset in {{pjsip_sip_uri}} as it is in {{pjsip_tel_uri}}, we get a crash.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list