[asterisk-bugs] [JIRA] (ASTERISK-28013) res_http_websocket: Crash when reading HTTP Upgrade requests

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Sep 20 16:41:54 CDT 2018


     [ https://issues.asterisk.org/jira/browse/ASTERISK-28013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-28013:
-------------------------------------

    Target Release Version/s: 16.0.0

> res_http_websocket: Crash when reading HTTP Upgrade requests
> ------------------------------------------------------------
>
>                 Key: ASTERISK-28013
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28013
>             Project: Asterisk
>          Issue Type: Security
>          Components: Resources/res_http_websocket
>    Affects Versions: 14.7.7, 13.22.0, 15.5.0, 16.0.0
>            Reporter: Sean Bright
>            Severity: Blocker
>              Labels: security
>      Target Release: 16.0.0, 13.23.1, 14.7.8, 15.6.1
>
>         Attachments: req.txt
>
>
> The HTTP request processing in res_http_websocket allocates additional space on the stack for various headers received during an Upgrade request. An attacker could send a specially crafted request that causes this code to overflow the stack, resulting in a crash.
> NOTE: A bug in ast_iostream_gets() currently gives 15+ versions some slight protection from [^req.txt] causing a crash because the extra long header values are too long.  The extra long lines cause the request to be rejected as a result.  However, if they were 2K long with more of them to compensate we would still get the crash from blowing the stack.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list