[asterisk-bugs] [JIRA] (ASTERISK-29085) func_curl: Segmentation fault when using CURL after setting httpheader CURLOPT
Péter Juhász (JIRA)
noreply at issues.asterisk.org
Thu Sep 17 13:17:43 CDT 2020
[ https://issues.asterisk.org/jira/browse/ASTERISK-29085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=252076#comment-252076 ]
Péter Juhász edited comment on ASTERISK-29085 at 9/17/20 1:16 PM:
------------------------------------------------------------------
The one embedded in the file func_curl.c:
{code}
<enum name="httpheader">
<para>Add HTTP header. Multiple calls add multiple headers.
Setting of any header will remove the default
"Content-Type application/x-www-form-urlencoded"</para>
</enum>
{code}
And there is the comment at line 431:
{code}
/* Remove any existing entry, only http headers are left */
{code}
This was the stated intent, it's a different question that apparently it never worked properly.
I'm just saying that if the proposed fix changes the behavior of the module, the documentation will have to be adjusted too (in which case the fix would be fine).
was (Author: peter.juhasz):
The one embedded in the file func_curl.c:
{code}
<enum name="httpheader">
<para>Add HTTP header. Multiple calls add multiple headers.
Setting of any header will remove the default
"Content-Type application/x-www-form-urlencoded"</para>
</enum>
{code}
And there is the comment at line 431:
{code}
/* Remove any existing entry, only http headers are left */
{code}
> func_curl: Segmentation fault when using CURL after setting httpheader CURLOPT
> ------------------------------------------------------------------------------
>
> Key: ASTERISK-29085
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29085
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Functions/func_curl
> Affects Versions: 16.8.0
> Environment: Fedora 32 Linux x86_64
> Reporter: Péter Juhász
> Assignee: Unassigned
> Severity: Minor
> Labels: patch
> Attachments: 0001-func_curl-Clear-HTTP-headers-form-shared-cURL-instan.patch, gdb.txt
>
>
> The capability to set HTTP headers was recently added to Asterisk (in issue ASTERISK-28613), but it turns out that this functionality is unsafe in its current implementation, because it is possible to induce a segmentation fault with some combinations of CURLOPT calls.
> The steps to reproduce:
> - Set CURLOPT(httpheader)=Content-Type: application/json
> - use CURL to send POST JSON data to some HTTPS service
> - Set some other CURLOPT that is not httpheader (e.g. userpwd, httptimeout)
> - use CURL again
> With such a dialplan Asterisk crashes consistently.
> We have a coredump, but it contains potentially sensitive data, so I don't want to upload it to the public tracker.
> Analyzing the coredump, it appears that curl->set.headers in acf_curl_helper contains garbage, or more precisel, the data and next pointers in that structure became stale since the first call to CURL.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list