[asterisk-bugs] [JIRA] (ASTERISK-29227) res_pjsip_diversion: sending multiple 181 responses causes memory corruption and crash
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Thu Feb 18 10:38:17 CST 2021
[ https://issues.asterisk.org/jira/browse/ASTERISK-29227?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=253887#comment-253887 ]
Friendly Automation commented on ASTERISK-29227:
------------------------------------------------
Change 15453 merged by George Joseph:
res_pjsip_diversion: Fix adding more than one histinfo to Supported
[https://gerrit.asterisk.org/c/asterisk/+/15453|https://gerrit.asterisk.org/c/asterisk/+/15453]
> res_pjsip_diversion: sending multiple 181 responses causes memory corruption and crash
> --------------------------------------------------------------------------------------
>
> Key: ASTERISK-29227
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29227
> Project: Asterisk
> Issue Type: Security
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 13.38.0, 13.38.1, 16.15.0, 16.15.1, 17.9.0, 17.9.1, 18.1.0, 18.1.1
> Reporter: Ivan Poddubny
> Severity: Blocker
> Labels: patch, security
> Attachments: 0001-res_pjsip_diversion-Fix-adding-more-than-one-histinf.patch
>
>
> Every time Asterisk/chan_pjsip transmits a "181 Call is being forwarded" packet, res_pjsip_diversion adds a "histinfo" element to Supported header. It doesn't check if "histinfo" has already been added, nor it performs a bounds check, thus making it possible to overwrite/corrupt memory past the PJSIP_GENERIC_ARRAY_MAX_COUNT elements that pjsip_supported_hdr can contain.
> h4. How to reproduce
> Make a call from a pjsip endpoint to this diaplan:
> {quote}
> exten => 181,1,NoOp
> same => n,Set(i=9000)
> same => n,While($[ $\{DEC\(i)} != 0])
> same => n,Set(REDIRECTING(from-num)=$\{i})
> same => n,EndWhile
> {quote}
> h4. How to crash Asterisk remotely
> Use Dial application on an unanswered incoming PJSIP channel to connect to a channel indicating AST_CONTROL_REDIRECTING more than PJSIP_GENERIC_ARRAY_MAX_COUNT times (32 by default).
> Example:
> * 2 PJSIP endpoints \[alice] and \[bob]
> * PJSIP/alice-00000001 executes Dial(PJSIP/bob)
> * PJSIP/bob-00000002 sends an INVITE to bob
> * bob sends 100 Trying, followed by repeating "181 Call Is Being Forwarded"
> * Asterisk transmits 181 Call Is Being Forwarded to alice, adding one more "histinfo" element to Supported, eventually overwriting memory past array boundary until Asterisk crashes.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list