[asterisk-bugs] [JIRA] (ASTERISK-29227) res_pjsip_diversion: sending multiple 181 responses causes memory corruption and crash

Friendly Automation (JIRA) noreply at issues.asterisk.org
Thu Feb 18 10:38:16 CST 2021


    [ https://issues.asterisk.org/jira/browse/ASTERISK-29227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=253882#comment-253882 ] 

Friendly Automation commented on ASTERISK-29227:
------------------------------------------------

Change 15465 merged by George Joseph:
res_pjsip_diversion: Fix adding more than one histinfo to Supported

[https://gerrit.asterisk.org/c/asterisk/+/15465|https://gerrit.asterisk.org/c/asterisk/+/15465]

> res_pjsip_diversion: sending multiple 181 responses causes memory corruption and crash
> --------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29227
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29227
>             Project: Asterisk
>          Issue Type: Security
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 13.38.0, 13.38.1, 16.15.0, 16.15.1, 17.9.0, 17.9.1, 18.1.0, 18.1.1
>            Reporter: Ivan Poddubny
>            Severity: Blocker
>              Labels: patch, security
>         Attachments: 0001-res_pjsip_diversion-Fix-adding-more-than-one-histinf.patch
>
>
> Every time Asterisk/chan_pjsip transmits a "181 Call is being forwarded" packet, res_pjsip_diversion adds a "histinfo" element to Supported header. It doesn't check if "histinfo" has already been added, nor it performs a bounds check, thus making it possible to overwrite/corrupt memory past the PJSIP_GENERIC_ARRAY_MAX_COUNT elements that pjsip_supported_hdr can contain.
> h4. How to reproduce
> Make a call from a pjsip endpoint to this diaplan:
> {quote}
> exten => 181,1,NoOp
> same => n,Set(i=9000)
> same => n,While($[ $\{DEC\(i)} != 0])
> same => n,Set(REDIRECTING(from-num)=$\{i})
> same => n,EndWhile
> {quote}
> h4. How to crash Asterisk remotely
> Use Dial application on an unanswered incoming PJSIP channel to connect to a channel indicating AST_CONTROL_REDIRECTING more than PJSIP_GENERIC_ARRAY_MAX_COUNT times (32 by default).
> Example:
> *  2 PJSIP endpoints \[alice] and \[bob]
> *   PJSIP/alice-00000001 executes Dial(PJSIP/bob)
> *   PJSIP/bob-00000002 sends an INVITE to bob
> *   bob sends 100 Trying, followed by repeating "181 Call Is Being Forwarded"
> *   Asterisk transmits 181 Call Is Being Forwarded to alice, adding one more "histinfo" element to Supported, eventually overwriting memory past array boundary until Asterisk crashes.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list