[asterisk-bugs] [JIRA] (ASTERISK-29085) func_curl: Segmentation fault when using CURL after setting httpheader CURLOPT

Péter Juhász (JIRA) noreply at issues.asterisk.org
Thu Sep 17 13:15:43 CDT 2020


    [ https://issues.asterisk.org/jira/browse/ASTERISK-29085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252076#comment-252076 ] 

Péter Juhász commented on ASTERISK-29085:
-----------------------------------------

The one embedded in the file func_curl.c: 
{code}
					<enum name="httpheader">
						<para>Add HTTP header. Multiple calls add multiple headers.
						Setting of any header will remove the default
						"Content-Type application/x-www-form-urlencoded"</para>
					</enum>
{code}

And there is the comment at line 431:

{code}
	/* Remove any existing entry, only http headers are left */
{code}

> func_curl: Segmentation fault when using CURL after setting httpheader CURLOPT
> ------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29085
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29085
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Functions/func_curl
>    Affects Versions: 16.8.0
>         Environment: Fedora 32 Linux x86_64
>            Reporter: Péter Juhász
>            Assignee: Péter Juhász
>            Severity: Minor
>              Labels: patch
>         Attachments: 0001-func_curl-Clear-HTTP-headers-form-shared-cURL-instan.patch, gdb.txt
>
>
> The capability to set HTTP headers was recently added to Asterisk (in issue ASTERISK-28613), but it turns out that this functionality is unsafe in its current implementation, because it is possible to induce a segmentation fault with some combinations of CURLOPT calls.
> The steps to reproduce:
> - Set CURLOPT(httpheader)=Content-Type: application/json
> - use CURL to send POST JSON data to some HTTPS service
> - Set some other CURLOPT that is not httpheader (e.g. userpwd, httptimeout)
> - use CURL again
> With such a dialplan Asterisk crashes consistently.
> We have a coredump, but it contains potentially sensitive data, so I don't want to upload it to the public tracker.
> Analyzing the coredump, it appears that curl->set.headers in acf_curl_helper contains garbage, or more precisel, the data and next pointers in that structure became stale since the first call to CURL. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list