[asterisk-bugs] [JIRA] (ASTERISK-29024) Route Header in Cancel request incorrectly set

Flole Systems (JIRA) noreply at issues.asterisk.org
Mon Aug 17 06:40:43 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251667#comment-251667 ] 

Flole Systems commented on ASTERISK-29024:
------------------------------------------

Yes that sounds right. I think I figured out what's going on: My Provider doesn't send back a Route-Header, the SIP Trace looks like this and raising the debug log level didn't seem to produce any additional output:

{noformat}
INVITE sip:123456 at my.provider.com:5060 SIP/2.0
Via: SIP/2.0/UDP 4.3.2.1:5060;rport;branch=XXX
From: <sip:987654321 at my.provider.com>;tag=YYYYYY
To: <sip:123456 at my.provider.com>
Contact: <sip:987654321 at 4.3.2.1:5060>
Call-ID: XXXX
CSeq: 32067 INVITE
Route: <sip:1.2.3.4:5060;lr>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX
Proxy-Authorization: Digest username="myUser", realm="Realm", nonce="XXXX", uri="sip:123456 at my.provider.com:5060", response="XXXX", algorithm=MD5
Content-Type: application/sdp
Content-Length:   283

v=0
o=- 718667999 718667999 IN IP4 4.3.2.1
s=Asterisk
c=IN IP4 4.3.2.1
t=0 0
m=audio 10734 RTP/AVP 9 8 0 101
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv 

<--- Received SIP response (739 bytes) from UDP:1.2.3.4:5060 --->
SIP/2.0 183 Session Progress
Via: SIP/2.0/UDP 4.3.2.1:5060;received=4.3.2.1;branch=XXX;rport=5060
From: <sip:987654321 at my.provider.com>;tag=YYYYYY
To: <sip:123456 at my.provider.com>;tag=TAGTAG
Call-ID: XXXX
CSeq: 32067 INVITE
Contact: <sip:123456 at 1.2.3.4:5060;transport=udp>
Content-Length: 241
Content-Type: application/sdp

v=0
o=- 3038379570 718668000 IN IP4 5.4.3.1
s=-
c=IN IP4 5.4.3.1
t=0 0
m=audio 14634 RTP/AVP 9 8 101
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=ptime:20 

<--- Received SIP response (739 bytes) from UDP:1.2.3.4:5060 --->
SIP/2.0 183 Session Progress
Via: SIP/2.0/UDP 4.3.2.1:5060;received=4.3.2.1;branch=XXX;rport=5060
From: <sip:987654321 at my.provider.com>;tag=YYYYYY
To: <sip:123456 at my.provider.com>;tag=TAGTAG
Call-ID: XXXX
CSeq: 32067 INVITE
Contact: <sip:123456 at 1.2.3.4:5060;transport=udp>
Content-Length: 241
Content-Type: application/sdp

v=0
o=- 3038379570 718668001 IN IP4 5.4.3.1
s=-
c=IN IP4 5.4.3.1
t=0 0
m=audio 14634 RTP/AVP 9 8 101
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
a=ptime:20 

<--- Transmitting SIP request (481 bytes) to UDP:1.2.3.4:5060 --->
CANCEL sip:123456 at my.provider.com:5060 SIP/2.0
Via: SIP/2.0/UDP 4.3.2.1:5060;rport;branch=XXX
From: <sip:987654321 at my.provider.com>;tag=YYYYYY
To: <sip:123456 at my.provider.com>
Call-ID: XXXX
CSeq: 32067 CANCEL
Route: <sip:}

<--- Received SIP response (404 bytes) from UDP:1.2.3.4:5060 --->
SIP/2.0 400 Invalid Route
Via: SIP/2.0/UDP 4.3.2.1:5060;received=4.3.2.1;branch=XXX;rport=5060
From: <sip:987654321 at my.provider.com>;tag=YYYYYY
To: <sip:123456 at my.provider.com>;tag=TAGTAG
Call-ID: XXXX
CSeq: 32067 CANCEL
Resource-Priority: 
{noformat}

> Route Header in Cancel request incorrectly set
> ----------------------------------------------
>
>                 Key: ASTERISK-29024
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29024
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 17.6.0
>            Reporter: Flole Systems
>            Assignee: Flole Systems
>
> When I initiate a call using PJSIP and Cancel the call while it's still ringing the Route-Header seems to be sent incorrectly. It looks like it's a pointer to a memory region that got overwritten. I saw internal IP Addresses in there aswell as some other stuff like "Route: <sip:}". The "Route: <sip:" is always set properly, just the part after the sip is never set correctly and also the closing ">" is always missing.
> As the memory region that it reads from can't be controlled it might happen that confidential data like a password is exposed over this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list