[asterisk-bugs] [JIRA] (ASTERISK-28260) Asterisk segfault when rtp negotiation is wrong or fails

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Feb 28 12:23:50 CST 2019


    [ https://issues.asterisk.org/jira/browse/ASTERISK-28260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=246391#comment-246391 ] 

Friendly Automation commented on ASTERISK-28260:
------------------------------------------------

Change 11074 merged by Kevin Harwell:
res_pjsip_sdp_rtp:  Fix return code from apply_negotiated_sdp_stream

[https://gerrit.asterisk.org/c/asterisk/+/11074|https://gerrit.asterisk.org/c/asterisk/+/11074]

> Asterisk segfault when rtp negotiation is wrong or fails
> --------------------------------------------------------
>
>                 Key: ASTERISK-28260
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28260
>             Project: Asterisk
>          Issue Type: Security
>          Components: Channels/chan_pjsip
>    Affects Versions: 15.5.0, 15.7.1, 16.1.1
>         Environment: Linux asterisk-06 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux
>            Reporter: Sotiris Ganouris
>            Assignee: Unassigned
>            Severity: Blocker
>              Labels: patch, pjsip, security
>      Target Release: 15.7.2, 16.2.1
>
>         Attachments: 0001-res_pjsip_sdp_rtp-Fix-return-code-from-apply_negotia.patch, full.txt, patch.txt, test-file-1548335450.g729, uas_segfault.xml
>
>
> Hello Asterisk team,
> We are observing a segfault in Asterisk when Asterisk receives rtp streams for a codec that does not support (or does not negotiates). We believe that this is a security concern for asterisk and we couldn’t find anything reported so far about this specific issue. We are trying to find ways to patch it as it also affects latest master. If this was reported or fixed already somewhere else please advise us.
> Example and steps to reproduce:
> 1. Originate a call from Asterisk to a provider. Offer codecs alaw/ulaw/amr/amrwb.
> 2. Provider responds with 180 with sdp body that specifies g729 codec and basically ignores the supported codecs from the initial INVITE from Asterisk.
> 3. Asterisk throws the following NOTICE.
> [2019-01-23 13:49:15] NOTICE[19010]: res_pjsip_sdp_rtp.c:416 set_caps: No joint capabilities for 'audio' media stream between our configuration((alaw|ulaw|amr|amrwb)) and incoming SDP((nothing))
> 	
> 4. Provider starts streaming RTP packets with g729 codec.
> 5. Asterisk segfaults with 
> {noformat}
> Jan 23 13:49:15 asterisk-06 kernel: [13236574.960262] asterisk[23463]: segfault at 7f62d94ffdc8 ip 000055c951b59585 sp 00007f5a1d6ec378 error 4 in asterisk[55c95194b000+2ee000]
> {noformat}
> We are able to reproduce this with a SIPP (SIPp v3.6-dev-100-gffdf9be-RTPSTREAM) scenario that acts as a UAS (provider) and uses g729 encoded file for streaming.
> sipp -sf uas_segfault.xml -p 5060  -set advertisedip [your ip]
> (I couldn't attach the xml here but can send link if needed)
> We were able to reproduce it with Asterisk 15.7.1, 15.5.0, 16.1.1. OS is Linux voice-asterisk-06 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux. Core dumps follows:
> Asterisk 15.7.1
> {noformat}
> (gdb) where
> #0  0x0000555dfd26fe85 in ast_stream_topology_get_stream (topology=0x7f7f50021bd8, stream_num=stream_num at entry=4294967295) at stream.c:432
> #1  0x0000555dfd13eb66 in __ast_read (chan=chan at entry=0x7f7f2c003050, dropaudio=dropaudio at entry=0, dropnondefault=dropnondefault at entry=1) at channel.c:3703
> #2  0x0000555dfd13fa0c in ast_read (chan=chan at entry=0x7f7f2c003050) at channel.c:4193
> #3  0x00007f7ef8432951 in echo_exec (chan=0x7f7f2c003050, data=<optimized out>) at app_echo.c:62
> #4  0x0000555dfd20e639 in pbx_exec (c=0x7f7f2c003050, app=app at entry=0x555dfe84a300, data=data at entry=0x0) at pbx_app.c:492
> #5  0x0000555dfd2054c5 in pbx_outgoing_exec (data=data at entry=0x7f7f2c0019b0) at pbx.c:7593
> #6  0x0000555dfd2886e9 in dummy_start (data=<optimized out>) at utils.c:1258
> #7  0x00007f7f5ba05494 in start_thread (arg=0x7f7eed8cb700) at pthread_create.c:333
> #8  0x00007f7f5a60facf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
> {noformat}
> Asterisk 15.5.0
> {noformat}
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `/usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x0000558d55bd7cc1 in ast_stream_topology_get_stream (topology=0x7f0dd80e0b60, stream_num=4294967295) at stream.c:432
> 432		return AST_VECTOR_GET(&topology->streams, stream_num);
> [Current thread is 1 (Thread 0x7f0d6b0f0700 (LWP 25557))]
> (gdb) bt
> #0  0x0000558d55bd7cc1 in ast_stream_topology_get_stream (topology=0x7f0dd80e0b60, stream_num=4294967295) at stream.c:432
> #1  0x0000558d55a810ba in __ast_read (chan=0x7f0dc0028a58, dropaudio=0, dropnondefault=1) at channel.c:3703
> #2  0x0000558d55a82fce in ast_read (chan=0x7f0dc0028a58) at channel.c:4193
> #3  0x0000558d55acb38d in monitor_dial (dial=0x7f0dc00913f0, chan=0x0) at dial.c:862
> #4  0x0000558d55acb9bd in ast_dial_run (dial=0x7f0dc00913f0, chan=0x0, async=0) at dial.c:979
> #5  0x00007f0d3e9fbf8a in ari_originate_dial (data=0x7f0dc00913f0) at ari/resource_channels.c:981
> #6  0x0000558d55bf52b2 in dummy_start (data=0x7f0dc01e0e90) at utils.c:1258
> #7  0x00007f0de916a494 in start_thread (arg=0x7f0d6b0f0700) at pthread_create.c:333
> #8  0x00007f0de83e5acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
> {noformat}
> Asterisk 16.1.1
> {noformat}
> (gdb) bt
> #0  0x0000562dc0d9b995 in ast_stream_topology_get_stream (topology=0x7f18c001bb58, stream_num=stream_num at entry=4294967295) at stream.c:479
> #1  0x0000562dc0cb6206 in __ast_read (chan=chan at entry=0x7f1898001480, dropaudio=dropaudio at entry=0, dropnondefault=dropnondefault at entry=1) at channel.c:3681
> #2  0x0000562dc0cb70ac in ast_read (chan=chan at entry=0x7f1898001480) at channel.c:4171
> #3  0x00007f1878573951 in echo_exec (chan=0x7f1898001480, data=<optimized out>) at app_echo.c:62
> #4  0x0000562dc0d3c6f9 in pbx_exec (c=0x7f1898001480, app=app at entry=0x562dc3ecc680, data=data at entry=0x0) at pbx_app.c:492
> #5  0x0000562dc0d33475 in pbx_outgoing_exec (data=data at entry=0x7f1898000e20) at pbx.c:7593
> #6  0x0000562dc0db14ec in dummy_start (data=<optimized out>) at utils.c:1249
> #7  0x00007f18d3c25494 in start_thread (arg=0x7f1865fa1700) at pthread_create.c:333
> #8  0x00007f18d282facf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
> {noformat}
> Current Master
> Asterisk-master(1797cd2071cc740c6ff13e57f8cbda1bbbcf6647)
> {noformat}
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> whCore was generated by `asterisk -cvvvvvvvvvvvvvvvvvvv'.
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x0000555f1ddd3a95 in ast_stream_topology_get_stream (topology=0x7f845802f9e8, stream_num=stream_num at entry=4294967295) at stream.c:479
> 479        return AST_VECTOR_GET(&topology->streams, stream_num);
> [Current thread is 1 (Thread 0x7f83fd923700 (LWP 8383))]
> (gdb) where
> #0  0x0000555f1ddd3a95 in ast_stream_topology_get_stream (topology=0x7f845802f9e8, stream_num=stream_num at entry=4294967295) at stream.c:479
> #1  0x0000555f1dcec5d6 in __ast_read (chan=chan at entry=0x7f8438001480, dropaudio=dropaudio at entry=0, dropnondefault=dropnondefault at entry=1) at channel.c:3646
> #2  0x0000555f1dced47c in ast_read (chan=chan at entry=0x7f8438001480) at channel.c:4136
> #3  0x00007f841025c951 in echo_exec (chan=0x7f8438001480, data=<optimized out>) at app_echo.c:62
> #4  0x0000555f1dd72b89 in pbx_exec (c=0x7f8438001480, app=app at entry=0x555f20a26500, data=data at entry=0x0) at pbx_app.c:492
> #5  0x0000555f1dd698d5 in pbx_outgoing_exec (data=data at entry=0x7f8438000e20) at pbx.c:7593
> #6  0x0000555f1dde960c in dummy_start (data=<optimized out>) at utils.c:1249
> #7  0x00007f846b49f494 in start_thread (arg=0x7f83fd923700) at pthread_create.c:333
> #8  0x00007f846a0a9acf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list