[asterisk-bugs] [JIRA] (ASTERISK-29381) chan_pjsip: Remote denial of service by an authenticated user

Asterisk Team (JIRA) noreply at issues.asterisk.org
Wed Sep 14 10:44:11 CDT 2022


     [ https://issues.asterisk.org/jira/browse/ASTERISK-29381?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-29381:
-------------------------------------

    Target Release Version/s: 20.0.0

> chan_pjsip: Remote denial of service by an authenticated user
> -------------------------------------------------------------
>
>                 Key: ASTERISK-29381
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29381
>             Project: Asterisk
>          Issue Type: Security
>      Security Level: None
>          Components: Resources/res_pjsip_session
>    Affects Versions: 16.17.0, 18.3.0
>            Reporter: Ivan Poddubny
>            Assignee: Joshua C. Colp
>            Severity: Blocker
>              Labels: patch, security
>      Target Release: 16.19.1, 16.20.0, 18.5.1, 18.6.0, 19.0.0, 20.0.0
>
>         Attachments: AST-2021-007-16.diff, AST-2021-007-18.diff, AST-2021-007.pdf, extensions.conf, pjsip.conf, test.sh, test.xml, verbose-crash.txt
>
>
> A remote party can provoke a crash of asterisk (18.3.0, 16.17.0, master) by sending a re-INVITE after asterisk has sent a BYE (and hasn't received a response to it).
> The issue was introduced in a commit fixing ASTERISK-28452 ("res_pjsip_session: Always produce offer on re-INVITE without SDP"). The new pjsip callback added in the commit (session_inv_on_create_offer) assumes that ast_sip_session always has a channel:
> {code}
>        ast_queue_unhold(session->channel);
> {code}
> When {{session->channel}} is NULL, {{ast_queue_unhold(NULL)}} causes Asterisk to log a few assertion failures and crash.
> An example scenario is attached (configs + sipp + verbose console output).



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list