[asterisk-bugs] [JIRA] (ASTERISK-27345) res_pjsip_session: RTP instances leak on 488 responses.
Kevin Harwell (JIRA)
noreply at issues.asterisk.org
Mon Apr 1 13:24:11 CDT 2019
[ https://issues.asterisk.org/jira/browse/ASTERISK-27345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kevin Harwell updated ASTERISK-27345:
-------------------------------------
Target Release Version/s: 16.3.0
> res_pjsip_session: RTP instances leak on 488 responses.
> -------------------------------------------------------
>
> Key: ASTERISK-27345
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27345
> Project: Asterisk
> Issue Type: Bug
> Components: Resources/res_pjsip, Resources/res_pjsip_sdp_rtp, Resources/res_pjsip_session
> Affects Versions: 13.17.2, GIT, 15.0.0
> Reporter: Corey Farrell
> Assignee: Kevin Harwell
> Severity: Critical
> Labels: Security, pjsip
> Target Release: 13.18.1, 13.19.0, 14.7.1, 15.1.1, 15.2.0, 16.0.0, 16.3.0
>
>
> It appears we leak the {{struct ast_sip_session}} associated with any call that is rejected before being established. In the case of 488 this leak includes RTP instances, which can be easily exploited to use up all RTP ports.
> chan_pjsip is vulnerable to any SIP client that it accepts inbound calls from. This issue was found using REF_DEBUG with the testsuite {{tests/channels/pjsip/sdp_offer_answer/incoming/off-nominal/multiple-media-stream/audio-video/codec-mismatch}}, specifically the {{uac-codec-mismatch.xml}} scenario leaks 2 RTP instances. I verified that a 15 minute delay before shutdown of Asterisk does not release the resources.
> RTP instance creation occurs after the authentication step, so this can only be exploited if authentication is disabled or by users with SIP credentials. Still when an administrator gives someone SIP credentials they do not intend to give access to effectively shutdown Asterisk.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list