[asterisk-bugs] [JIRA] (ASTERISK-29227) res_pjsip_diversion: sending multiple 181 responses causes memory corruption and crash

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Mar 11 11:50:18 CST 2021 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-29227?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-29227:
-------------------------------------

    Target Release Version/s: 18.3.0

> res_pjsip_diversion: sending multiple 181 responses causes memory corruption and crash
> --------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29227
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29227
>             Project: Asterisk
>          Issue Type: Security
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 13.38.0, 13.38.1, 16.15.0, 16.15.1, 17.9.0, 17.9.1, 18.1.0, 18.1.1
>            Reporter: Ivan Poddubny
>            Severity: Blocker
>              Labels: patch, security
>      Target Release: 13.38.2, 16.16.1, 16.17.0, 17.9.2, 18.2.1, 18.3.0
>
>         Attachments: 0001-res_pjsip_diversion-Fix-adding-more-than-one-histinf.patch
>
>
> Every time Asterisk/chan_pjsip transmits a "181 Call is being forwarded" packet, res_pjsip_diversion adds a "histinfo" element to Supported header. It doesn't check if "histinfo" has already been added, nor it performs a bounds check, thus making it possible to overwrite/corrupt memory past the PJSIP_GENERIC_ARRAY_MAX_COUNT elements that pjsip_supported_hdr can contain.
> h4. How to reproduce
> Make a call from a pjsip endpoint to this diaplan:
> {quote}
> exten => 181,1,NoOp
> same => n,Set(i=9000)
> same => n,While($[ $\{DEC\(i)} != 0])
> same => n,Set(REDIRECTING(from-num)=$\{i})
> same => n,EndWhile
> {quote}
> h4. How to crash Asterisk remotely
> Use Dial application on an unanswered incoming PJSIP channel to connect to a channel indicating AST_CONTROL_REDIRECTING more than PJSIP_GENERIC_ARRAY_MAX_COUNT times (32 by default).
> Example:
> *  2 PJSIP endpoints \[alice] and \[bob]
> *   PJSIP/alice-00000001 executes Dial(PJSIP/bob)
> *   PJSIP/bob-00000002 sends an INVITE to bob
> *   bob sends 100 Trying, followed by repeating "181 Call Is Being Forwarded"
> *   Asterisk transmits 181 Call Is Being Forwarded to alice, adding one more "histinfo" element to Supported, eventually overwriting memory past array boundary until Asterisk crashes.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list