[asterisk-bugs] [JIRA] (ASTERISK-30259) ari: Crash on missing JSON validation in push registration

Thomas Guebels (JIRA) noreply at issues.asterisk.org
Mon Oct 10 05:23:08 CDT 2022 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-30259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Thomas Guebels updated ASTERISK-30259:
--------------------------------------

    Description: 
When creating a new outbound registration using ARI push method, an unexpected JSON body can easily trigger a crash.

The code expects "attribute" and "value" to be present and to be string in the objects of the field array.

So anything not in the form 
{code}
[
  {
    "attribute": "string",
    "value": "string"
  },
]
{code}

will trigger it. Example: 
{code}
[
  {
    "attribute": "string",
    "value": 123
  },
]
{code}
or
{code}
[
  {
  },
]
{code}

This is the backtrace:
{code}
#0  0x00007f33c6f28bea in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x000055b026c5028c in _ast_variable_new (name=0x7f32f4001b90 "max_retries", value=0x0, filename=0x7f3371c7c502 "", file=0x7f3371c7c406 "ari/resource_asterisk.c", 
    func=0x7f3371c7cb00 <__PRETTY_FUNCTION__.15793> "ast_ari_asterisk_update_object", lineno=197) at config.c:292
#2  0x00007f3371c7a3a3 in ast_ari_asterisk_update_object (headers=0x7f32f4000ec0, args=0x7f333d552880, response=0x7f333d552ae0) at ari/resource_asterisk.c:197
#3  0x00007f3371c78b73 in ast_ari_asterisk_update_object_cb (ser=0x7f3350000bd0, get_params=0x0, path_vars=0x7f32f40015e0, headers=0x7f32f4000ec0, body=0x7f32f4001910, response=0x7f333d552ae0)
    at res_ari_asterisk.c:161
#4  0x00007f3372ef86f9 in ast_ari_invoke (ser=0x7f3350000bd0, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, get_params=0x0, 
    headers=0x7f32f4000ec0, body=0x7f32f4001910, response=0x7f333d552ae0) at res_ari.c:587
#5  0x00007f3372ef9e79 in ast_ari_callback (ser=0x7f3350000bd0, urih=0x7f3372f06040 <http_uri>, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", 
    method=AST_HTTP_PUT, get_params=0x0, headers=0x7f32f4000ec0) at res_ari.c:1058
#6  0x000055b026c6fb53 in handle_uri (ser=0x7f3350000bd0, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, headers=0x7f32f4000ec0)
    at http.c:1490
#7  0x000055b026c70d7e in httpd_process_request (ser=0x7f3350000bd0) at http.c:1931
#8  0x000055b026c710c3 in httpd_helper_thread (data=0x7f3350000bd0) at http.c:1994
#9  0x000055b026c0e39b in handle_tcptls_connection (data=0x7f3350000bd0) at tcptls.c:274
#10 0x000055b026c21de6 in dummy_start (data=0x55b02779cc60) at utils.c:1574
#11 0x00007f33c7214609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#12 0x00007f33c6f96133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
{code}


  was:
When creating a new outbound registration using ARI push method, an unexpected JSON body can easily trigger a crash.

The code expects "attribute" and "value" to be present and to be string in the objects of the field array.

So anything not in the form 
{code}
[
  {
    "attribute": "string",
    "value": "string"
  },
]
{code}

will trigger it. Example: 
{code}
[
  {
    "attribute": "string",
    "value": 123
  },
]
{code}
or
{code}
[
  {
  },
]
{code}


> ari: Crash on missing JSON validation in push registration
> ----------------------------------------------------------
>
>                 Key: ASTERISK-30259
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-30259
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_ari, Resources/res_pjsip_outbound_registration
>    Affects Versions: 18.14.0
>            Reporter: Thomas Guebels
>            Assignee: Unassigned
>
> When creating a new outbound registration using ARI push method, an unexpected JSON body can easily trigger a crash.
> The code expects "attribute" and "value" to be present and to be string in the objects of the field array.
> So anything not in the form 
> {code}
> [
>   {
>     "attribute": "string",
>     "value": "string"
>   },
> ]
> {code}
> will trigger it. Example: 
> {code}
> [
>   {
>     "attribute": "string",
>     "value": 123
>   },
> ]
> {code}
> or
> {code}
> [
>   {
>   },
> ]
> {code}
> This is the backtrace:
> {code}
> #0  0x00007f33c6f28bea in ?? () from /lib/x86_64-linux-gnu/libc.so.6
> #1  0x000055b026c5028c in _ast_variable_new (name=0x7f32f4001b90 "max_retries", value=0x0, filename=0x7f3371c7c502 "", file=0x7f3371c7c406 "ari/resource_asterisk.c", 
>     func=0x7f3371c7cb00 <__PRETTY_FUNCTION__.15793> "ast_ari_asterisk_update_object", lineno=197) at config.c:292
> #2  0x00007f3371c7a3a3 in ast_ari_asterisk_update_object (headers=0x7f32f4000ec0, args=0x7f333d552880, response=0x7f333d552ae0) at ari/resource_asterisk.c:197
> #3  0x00007f3371c78b73 in ast_ari_asterisk_update_object_cb (ser=0x7f3350000bd0, get_params=0x0, path_vars=0x7f32f40015e0, headers=0x7f32f4000ec0, body=0x7f32f4001910, response=0x7f333d552ae0)
>     at res_ari_asterisk.c:161
> #4  0x00007f3372ef86f9 in ast_ari_invoke (ser=0x7f3350000bd0, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, get_params=0x0, 
>     headers=0x7f32f4000ec0, body=0x7f32f4001910, response=0x7f333d552ae0) at res_ari.c:587
> #5  0x00007f3372ef9e79 in ast_ari_callback (ser=0x7f3350000bd0, urih=0x7f3372f06040 <http_uri>, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", 
>     method=AST_HTTP_PUT, get_params=0x0, headers=0x7f32f4000ec0) at res_ari.c:1058
> #6  0x000055b026c6fb53 in handle_uri (ser=0x7f3350000bd0, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, headers=0x7f32f4000ec0)
>     at http.c:1490
> #7  0x000055b026c70d7e in httpd_process_request (ser=0x7f3350000bd0) at http.c:1931
> #8  0x000055b026c710c3 in httpd_helper_thread (data=0x7f3350000bd0) at http.c:1994
> #9  0x000055b026c0e39b in handle_tcptls_connection (data=0x7f3350000bd0) at tcptls.c:274
> #10 0x000055b026c21de6 in dummy_start (data=0x55b02779cc60) at utils.c:1574
> #11 0x00007f33c7214609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
> #12 0x00007f33c6f96133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list