[asterisk-bugs] [JIRA] (ASTERISK-29024) pjsip: Route Header in Cancel request incorrectly set

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Mon Aug 17 15:44:43 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251676#comment-251676 ] 

Kevin Harwell commented on ASTERISK-29024:
------------------------------------------

I was finally able to replicate the issue using two Asterisk instances:

Instance A (initiator) _pjsip.conf_ (substitute IP addresses where appropriate):
{noformat}
[global]
type=global
debug=yes

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[transport_t](!)
type=transport
bind=0.0.0.0

[transport_udp](transport_t)
protocol=udp

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[endpoint_t](!)
type=endpoint
context=default
direct_media=no
allow=!all,ulaw
rtcp_mux=yes

[aor_t](!)
type=aor
qualify_frequency=0
max_contacts=10

[auth_t](!)
type=auth
auth_type=userpass
password=0000

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; alice ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[alice](aor_t)
contact=sip:alice@<local ip addr>:5061
mailboxes=alice at default

[alice](auth_t)
username=alice

[alice](endpoint_t)
aors=alice
;auth=alice

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; triton ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[triton](aor_t)
contact=sip:<local ip addr>

[triton](auth_t)
username=nereid

[triton](endpoint_t)
aors=triton
from_user=nereid
allow=!all,ulaw
outbound_proxy=sip:<remote ip addr>:5060\;lr
dtmf_mode=rfc4733
from_domain=nereid
allow=!all,g722,alaw,ulaw
sdp_session=MySession
rtp_symmetric=no
force_rport=no
rewrite_contact=yes
timers=yes
outbound_auth=triton
identify_by=ip

[triton]
type=registration
server_uri=sip:nereid@<remote ip addr>
client_uri=sip:nereid@<remote ip addr>
outbound_proxy=sip:<remote ip addr>:5060\;lr
{noformat}
Instance B _pjsip.conf_ (note templates are same as on instance A):
{noformat}
[nereid](aor_t)
contact=sip:nereid

[nereid](auth_t)
username=nereid

[nereid](endpoint_t)
aors=nereid
from_user=triton
allow=!all,g722,ulaw
{noformat}
Instance B's dialplan _extensions.conf_:
{noformat}
exten => alice,1,NoOp()
    same => n,Progress()
    same => n,Wait(10)
    same => n,Answer()
    same => n,Playback(hello-world)
    same => n,Hangup()
{noformat}
Start both instances of Asterisk and wait for Instance A to register to Instance B. Once successfully registered then from Instance A's CLI initiate a call to Alice and then hangup:
{noformat}
*CLI> originate PJSIP/triton/alice application Echo
*CLI>
*CLI> hangup request all
{noformat}
Note the following SIP trace/CLI output from Asterisk Instance A:
{noformat}
*CLI> Asterisk Ready.

*CLI> 
*CLI> 
*CLI> 
*CLI> originate PJSIP/triton/alice application Echo<--- Transmitting SIP request (581 bytes) to UDP:10.24.17.123:5060 --->
REGISTER sip:nereid at 10.24.17.123 SIP/2.0
Via: SIP/2.0/UDP 10.24.249.90:5060;rport;branch=z9hG4bKPj9498b530-6305-426d-9564-977f572fd01b
Route: <sip:10.24.17.123:5060;lr>
From: <sip:nereid at 10.24.17.123>;tag=dc91bb90-1a18-46c3-846d-f21fb023ff3b
To: <sip:nereid at 10.24.17.123>
Call-ID: ec4245df-2e39-4ca2-8759-7b5f6b4e3b9f
CSeq: 60321 REGISTER
Contact: <sip:s at 10.24.249.90:5060>
Expires: 3600
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Max-Forwards: 70
User-Agent: Asterisk PBX 17.6.0
Content-Length:  0


<--- Received SIP response (545 bytes) from UDP:10.24.17.123:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.24.249.90:5060;rport=5060;received=10.24.249.90;branch=z9hG4bKPj9498b530-6305-426d-9564-977f572fd01b
Call-ID: ec4245df-2e39-4ca2-8759-7b5f6b4e3b9f
From: <sip:nereid at 10.24.17.123>;tag=dc91bb90-1a18-46c3-846d-f21fb023ff3b
To: <sip:nereid at 10.24.17.123>;tag=z9hG4bKPj9498b530-6305-426d-9564-977f572fd01b
CSeq: 60321 REGISTER
Date: Mon, 17 Aug 2020 20:27:46 GMT
Contact: <sip:nereid>
Contact: <sip:s at 10.24.249.90:5060>;expires=3599
Expires: 3600
Server: Asterisk PBX GIT-16-5609d00
Content-Length:  0



*CLI> <--- Transmitting SIP request (983 bytes) to UDP:10.24.17.123:5060 --->
INVITE sip:alice at 127.0.0.1:5061 SIP/2.0
Via: SIP/2.0/UDP 10.24.249.90:5060;rport;branch=z9hG4bKPj0589b8de-0e05-4abe-b9e8-f470412a283c
From: "Anonymous" <sip:nereid at nereid>;tag=23cc3c64-337a-4dd1-8d64-1289f830bebd
To: <sip:alice at 127.0.0.1>
Contact: <sip:nereid at 10.24.249.90:5060>
Call-ID: 9438b6b2-41b3-423d-a18a-22491349fd4c
CSeq: 16411 INVITE
Route: <sip:10.24.17.123:5060;lr>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
Session-Expires: 1800
Min-SE: 90
Max-Forwards: 70
User-Agent: Asterisk PBX 17.6.0
Content-Type: application/sdp
Content-Length:   296

v=0
o=- 351831285 351831285 IN IP4 10.24.249.90
s=MySession
c=IN IP4 10.24.249.90
t=0 0
m=audio 14926 RTP/AVP 9 8 0 101
a=rtpmap:9 G722/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv
a=rtcp-mux

<--- Received SIP response (375 bytes) from UDP:10.24.17.123:5060 --->
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 10.24.249.90:5060;rport=5060;received=10.24.249.90;branch=z9hG4bKPj0589b8de-0e05-4abe-b9e8-f470412a283c
Call-ID: 9438b6b2-41b3-423d-a18a-22491349fd4c
From: "Anonymous" <sip:nereid at nereid>;tag=23cc3c64-337a-4dd1-8d64-1289f830bebd
To: <sip:alice at 127.0.0.1>
CSeq: 16411 INVITE
Server: Asterisk PBX GIT-16-5609d00
Content-Length:  0


<--- Received SIP response (876 bytes) from UDP:10.24.17.123:5060 --->
SIP/2.0 183 Session Progress
Via: SIP/2.0/UDP 10.24.249.90:5060;rport=5060;received=10.24.249.90;branch=z9hG4bKPj0589b8de-0e05-4abe-b9e8-f470412a283c
Call-ID: 9438b6b2-41b3-423d-a18a-22491349fd4c
From: "Anonymous" <sip:nereid at nereid>;tag=23cc3c64-337a-4dd1-8d64-1289f830bebd
To: <sip:alice at 127.0.0.1>;tag=588b8700-7a5d-4169-96d6-8bc7121d35aa
CSeq: 16411 INVITE
Server: Asterisk PBX GIT-16-5609d00
Contact: <sip:10.24.17.123:5060>
Allow: OPTIONS, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, MESSAGE, REFER
Content-Type: application/sdp
Content-Length:   271

v=0
o=- 351831285 351831287 IN IP4 10.24.17.123
s=Asterisk
c=IN IP4 10.24.17.123
t=0 0
m=audio 11872 RTP/AVP 9 0 101
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:150
a=sendrecv
a=rtcp-mux


*CLI> 
*CLI> 
*CLI> 
*CLI> hangup request all
Requested Hangup on channel 'PJSIP/triton-00000000'
*CLI> <--- Transmitting SIP request (441 bytes) to UDP:10.24.17.123:5060 --->
CANCEL sip:alice at 127.0.0.1:5061 SIP/2.0
Via: SIP/2.0/UDP 10.24.249.90:5060;rport;branch=z9hG4bKPj0589b8de-0e05-4abe-b9e8-f470412a283c
From: "Anonymous" <sip:nereid at nereid>;tag=23cc3c64-337a-4dd1-8d64-1289f830bebd
To: <sip:alice at 127.0.0.1>
Call-ID: 9438b6b2-41b3-423d-a18a-22491349fd4c
CSeq: 16411 CANCEL
Route: <sip:
<--- Transmitting SIP request (441 bytes) to UDP:10.24.17.123:5060 --->
CANCEL sip:alice at 127.0.0.1:5061 SIP/2.0
Via: SIP/2.0/UDP 10.24.249.90:5060;rport;branch=z9hG4bKPj0589b8de-0e05-4abe-b9e8-f470412a283c
From: "Anonymous" <sip:nereid at nereid>;tag=23cc3c64-337a-4dd1-8d64-1289f830bebd
To: <sip:alice at 127.0.0.1>
Call-ID: 9438b6b2-41b3-423d-a18a-22491349fd4c
CSeq: 16411 CANCEL
Route: <sip:

*CLI> 
*CLI> <--- Transmitting SIP request (441 bytes) to UDP:10.24.17.123:5060 --->
CANCEL sip:alice at 127.0.0.1:5061 SIP/2.0
Via: SIP/2.0/UDP 10.24.249.90:5060;rport;branch=z9hG4bKPj0589b8de-0e05-4abe-b9e8-f470412a283c
From: "Anonymous" <sip:nereid at nereid>;tag=23cc3c64-337a-4dd1-8d64-1289f830bebd
To: <sip:alice at 127.0.0.1>
Call-ID: 9438b6b2-41b3-423d-a18a-22491349fd4c
CSeq: 16411 CANCEL
Route: <sip:
{noformat}

> pjsip: Route Header in Cancel request incorrectly set
> -----------------------------------------------------
>
>                 Key: ASTERISK-29024
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29024
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 17.6.0
>            Reporter: Flole Systems
>            Assignee: Unassigned
>
> When I initiate a call using PJSIP and Cancel the call while it's still ringing the Route-Header seems to be sent incorrectly. It looks like it's a pointer to a memory region that got overwritten. I saw internal IP Addresses in there aswell as some other stuff like "Route: <sip:}". The "Route: <sip:" is always set properly, just the part after the sip is never set correctly and also the closing ">" is always missing.
> As the memory region that it reads from can't be controlled it might happen that confidential data like a password is exposed over this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list