[asterisk-bugs] [JIRA] (ASTERISK-28013) res_http_websocket: Crash when reading HTTP Upgrade requests
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Thu Sep 20 12:32:55 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-28013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=244909#comment-244909 ]
Friendly Automation commented on ASTERISK-28013:
------------------------------------------------
Change 10216 merged by Richard Mudgett:
AST-2018-009: Fix crash processing websocket HTTP Upgrade requests
[https://gerrit.asterisk.org/10216|https://gerrit.asterisk.org/10216]
> res_http_websocket: Crash when reading HTTP Upgrade requests
> ------------------------------------------------------------
>
> Key: ASTERISK-28013
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28013
> Project: Asterisk
> Issue Type: Security
> Components: Resources/res_http_websocket
> Affects Versions: 14.7.7, 13.22.0, 15.5.0, 16.0.0
> Reporter: Sean Bright
> Severity: Blocker
> Labels: security
> Attachments: req.txt
>
>
> The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash.
> NOTE: A bug in ast_iostream_gets() currently gives 15+ versions some slight protection from [^req.txt] causing a crash because the extra long header values are too long. The extra long lines cause the request to be rejected as a result. However, if they were 2K long with more of them to compensate we would still get the crash from blowing the stack.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list