[asterisk-bugs] [JIRA] (ASTERISK-28013) res_http_websocket: Crash when reading HTTP Upgrade requests

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Sep 20 12:32:55 CDT 2018


    [ https://issues.asterisk.org/jira/browse/ASTERISK-28013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=244913#comment-244913 ] 

Friendly Automation commented on ASTERISK-28013:
------------------------------------------------

Change 10220 merged by Richard Mudgett:
AST-2018-009: Fix crash processing websocket HTTP Upgrade requests

[https://gerrit.asterisk.org/10220|https://gerrit.asterisk.org/10220]

> res_http_websocket: Crash when reading HTTP Upgrade requests
> ------------------------------------------------------------
>
>                 Key: ASTERISK-28013
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28013
>             Project: Asterisk
>          Issue Type: Security
>          Components: Resources/res_http_websocket
>    Affects Versions: 14.7.7, 13.22.0, 15.5.0, 16.0.0
>            Reporter: Sean Bright
>            Severity: Blocker
>              Labels: security
>         Attachments: req.txt
>
>
> The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash.
> NOTE: A bug in ast_iostream_gets() currently gives 15+ versions some slight protection from [^req.txt] causing a crash because the extra long header values are too long.  The extra long lines cause the request to be rejected as a result.  However, if they were 2K long with more of them to compensate we would still get the crash from blowing the stack.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list