[asterisk-bugs] [JIRA] (ASTERISK-29024) Route Header in Cancel request incorrectly set

Flole Systems (JIRA) noreply at issues.asterisk.org
Wed Aug 12 12:51:43 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251629#comment-251629 ] 

Flole Systems commented on ASTERISK-29024:
------------------------------------------

The content of that header is random, but it happens every time that the closing > is missing and the content is never correct. Sometimes it contains the IP address of the internal phone that initiated the call, sometimes just pure garbage but never the correct header.

The logs show this:
{noformat}
<--- Transmitting SIP request (481 bytes) to UDP:1.2.3.4:5060 --->
CANCEL sip:123456 at my.provider.com:5060 SIP/2.0
Via: SIP/2.0/UDP 4.3.2.1:5060;rport;branch=XXX
From: <sip:987654321 at my.provider.com>;tag=YYYYYY
To: <sip:123456 at my.provider.com>
Call-ID: XXXX
CSeq: 32067 CANCEL
Route: <sip:}
{noformat}

Config looks like this
{noformat}
[myProvider]
type = endpoint
context = mycontext
dtmf_mode = rfc4733
outbound_proxy = sip:my.provider.com\;lr
direct_media = no
from_domain = my.provider.com
disallow = all
allow = g722,alaw,ulaw
sdp_session=MySession
aors = Provider-aor
rtp_symmetric = no
force_rport = no
rewrite_contact = yes
timers = yes
outbound_auth = auth_reg_my.provider.com
identify_by = ip
{noformat}

> Route Header in Cancel request incorrectly set
> ----------------------------------------------
>
>                 Key: ASTERISK-29024
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29024
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 17.6.0
>            Reporter: Flole Systems
>            Assignee: Flole Systems
>
> When I initiate a call using PJSIP and Cancel the call while it's still ringing the Route-Header seems to be sent incorrectly. It looks like it's a pointer to a memory region that got overwritten. I saw internal IP Addresses in there aswell as some other stuff like "Route: <sip:}". The "Route: <sip:" is always set properly, just the part after the sip is never set correctly and also the closing ">" is always missing.
> As the memory region that it reads from can't be controlled it might happen that confidential data like a password is exposed over this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list