[asterisk-bugs] [JIRA] (ASTERISK-27152) Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Wed Aug 8 10:23:05 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-27152?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-27152:
-------------------------------------
Target Release Version/s: 16.0.0
> Sending a "tel" uri in a From or To header in an unauthenticated message causes asterisk to crash
> -------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-27152
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27152
> Project: Asterisk
> Issue Type: Bug
> Affects Versions: 13.15.0, 14.4.0
> Reporter: Ross Beer
> Severity: Critical
> Labels: Security
> Target Release: 13.17.1, 13.18.0, 14.6.1, 14.7.0, 15.0.0, 15.1.0, 16.0.0
>
>
> Easily reproducable. Send any message to asterisk with "From: tel:+1000" in the headers.
> The crash is in pjsip_message_ip_updater.c:sanitize_tdata. When we respond with even a 401, that function is called but it assumes that the From, To, and Contact uris are sip uris and casts the header's URI to {{pjsip_sip_uri *uri}}. It then tries to call pjsip_param_find on {{uri->other_param}}. Since the uri is actually a tel uri and {{other_param}} isn't at the same offset in {{pjsip_sip_uri}} as it is in {{pjsip_tel_uri}}, we get a crash.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list