[asterisk-bugs] [JIRA] (ASTERISK-28463) res_pjsip_path: Crash when invalid contact is configured

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Sep 26 04:54:47 CDT 2019


    [ https://issues.asterisk.org/jira/browse/ASTERISK-28463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=248154#comment-248154 ] 

Friendly Automation commented on ASTERISK-28463:
------------------------------------------------

Change 12957 merged by Friendly Automation:
res_pjsip_registrar: Validate Contact URI before adding to responses

[https://gerrit.asterisk.org/c/asterisk/+/12957|https://gerrit.asterisk.org/c/asterisk/+/12957]

> res_pjsip_path: Crash when invalid contact is configured
> --------------------------------------------------------
>
>                 Key: ASTERISK-28463
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28463
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_path
>    Affects Versions: 13.27.0, 16.4.0
>         Environment: Debian Stretch 9.9 (Intel x86_64)
>            Reporter: Juan Martin
>            Severity: Minor
>              Labels: pjsip
>         Attachments: backtrace_16.2.1.7z, backtrace_16.4.0.7z, bt.txt, core-brief.txt, core-full.txt, core-locks.txt, core-thread1.txt, pjsip_endpoints.conf
>
>
> Hi,
> I discovered that if you put a bad contact in the aor configuration, it crashes asterisk when the phone is registered, concretelly with  segmentation fault (SIGSEGV).
> I tested it with 16.2.1 and it's also reproducible with 16.4.0.
> h5. Example:
> \[200]
> type=aor
> max_contacts=1
> {{contact=sip:200@*:5060}}
> qualify_frequency=60
> h6. If the phone is not connected it causes some errors but asterisk continue working:
> {{\[2019-06-27 12:08:48.462] ERROR\[20447]: res_pjsip.c:3859 create_out_of_dialog_request: Unable to create outbound OPTIONS request to endpoint 200 as URI 'sip:200@*:5060' is not valid}}
> {{\[2019-06-27 12:08:48.462] ERROR\[20447]: res_pjsip/pjsip_options.c:877 sip_options_qualify_contact: Unable to create request to qualify contact sip:200@*:5060 on AOR 200}}
> h6. Then, as soon as the phone registers in asterisk it crashes the main process:
> {{CLI>     -- Added contact 'sip:200 at 192.168.75.102:5060' to AOR '200' with expiration of 3600 seconds}}
> {{Segmentation fault (`core' generated)}}
> h6. In syslog:
> {{Jun 26 13:48:43 desarrolloV3 kernel: asterisk\[2285]: segfault at 0 ip 00007fa597ec11f8 sp 00007fa592c1eb30 error 4 in res_pjsip_path.so\[7fa597ec0000+3000]}}
> {{Jun 26 13:48:43 desarrolloV3 kernel: Code: 8d 64 24 c8 48 8b 07 48 c7 45 c8 00 00 00 00 48 85 c0 74 05 80 38 00 75 11 48 8d 65 d8 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 <48> 8b 06 48 89 fb 48 89 f7 ff 50 08 48 89 45 a8 49 89 c6 48 8b 40}}
> {{Jun 26 13:48:43 desarrolloV3 systemd\[1]: asterisk.service: Main process exited, code=killed, status=11/SEGV}}
> {{Jun 26 13:48:43 desarrolloV3 systemd\[1]: asterisk.service: Control process exited, code=exited status=1}}
> h5. Conclusion
> Avoiding the part of why there is a wildcard in the contact instead an IP address (contact=sip:200@*:5060), it's bad, I know. But I think that it should 
> not crash the entire system a bad line in configuration.
> Write access to config files is required to exploit this problem. Severity: low.
> Perhaps you could include a filter when parsing the pjsip config files.
> If you remove the malformed contact line in the sample config, asterisk works fine.
> I'll upload the backtraces to provide more info about the crash.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list