[asterisk-bugs] [JIRA] (ASTERISK-29381) chan_pjsip: Remote denial of service by an authenticated user
Asterisk Team (JIRA)
noreply at issues.asterisk.org
Wed Oct 13 06:03:53 CDT 2021
[ https://issues.asterisk.org/jira/browse/ASTERISK-29381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Asterisk Team updated ASTERISK-29381:
-------------------------------------
Target Release Version/s: 19.0.0
> chan_pjsip: Remote denial of service by an authenticated user
> -------------------------------------------------------------
>
> Key: ASTERISK-29381
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29381
> Project: Asterisk
> Issue Type: Security
> Security Level: None
> Components: Resources/res_pjsip_session
> Affects Versions: 16.17.0, 18.3.0
> Reporter: Ivan Poddubny
> Assignee: Joshua C. Colp
> Severity: Blocker
> Labels: patch, security
> Target Release: 16.19.1, 16.20.0, 18.5.1, 18.6.0, 19.0.0
>
> Attachments: AST-2021-007-16.diff, AST-2021-007-18.diff, AST-2021-007.pdf, extensions.conf, pjsip.conf, test.sh, test.xml, verbose-crash.txt
>
>
> A remote party can provoke a crash of asterisk (18.3.0, 16.17.0, master) by sending a re-INVITE after asterisk has sent a BYE (and hasn't received a response to it).
> The issue was introduced in a commit fixing ASTERISK-28452 ("res_pjsip_session: Always produce offer on re-INVITE without SDP"). The new pjsip callback added in the commit (session_inv_on_create_offer) assumes that ast_sip_session always has a channel:
> {code}
> ast_queue_unhold(session->channel);
> {code}
> When {{session->channel}} is NULL, {{ast_queue_unhold(NULL)}} causes Asterisk to log a few assertion failures and crash.
> An example scenario is attached (configs + sipp + verbose console output).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list