[asterisk-bugs] [JIRA] (ASTERISK-28013) res_http_websocket: Crash when reading HTTP Upgrade requests
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Thu Sep 20 13:49:54 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-28013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-28013:
-------------------------------------
Target Release Version/s: 14.7.8
> res_http_websocket: Crash when reading HTTP Upgrade requests
> ------------------------------------------------------------
>
> Key: ASTERISK-28013
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28013
> Project: Asterisk
> Issue Type: Security
> Components: Resources/res_http_websocket
> Affects Versions: 14.7.7, 13.22.0, 15.5.0, 16.0.0
> Reporter: Sean Bright
> Severity: Blocker
> Labels: security
> Target Release: 13.23.1, 14.7.8
>
> Attachments: req.txt
>
>
> The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash.
> NOTE: A bug in ast_iostream_gets() currently gives 15+ versions some slight protection from [^req.txt] causing a crash because the extra long header values are too long. The extra long lines cause the request to be rejected as a result. However, if they were 2K long with more of them to compensate we would still get the crash from blowing the stack.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list