[asterisk-commits] mjordan: trunk r397753 - in /trunk: ./ channels/chan_sip.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Aug 27 12:35:22 CDT 2013


Author: mjordan
Date: Tue Aug 27 12:35:20 2013
New Revision: 397753

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=397753
Log:
AST-2013-004: Fix crash when handling ACK on dialog that has no channel

A remote exploitable crash vulnerability exists in the SIP channel driver if an
ACK with SDP is received after the channel has been terminated. The handling
code incorrectly assumed that the channel would always be present.

This patch adds a check such that the SDP will only be parsed and applied if
Asterisk has a channel present that is associated with the dialog.

Note that the patch being applied was modified only slightly from the patch
provided by Walter Doekes of OSSO B.V.

(closes issue ASTERISK-21064)
Reported by: Colin Cuthbertson
Tested by: wdoekes, Colin Cutherbertson
patches:
  issueA21064_fix.patch uploaded by wdoekes (License 5674)
........

Merged revisions 397710 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 397711 from http://svn.asterisk.org/svn/asterisk/branches/10
........

Merged revisions 397712 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 397713 from http://svn.asterisk.org/svn/asterisk/branches/12

Modified:
    trunk/   (props changed)
    trunk/channels/chan_sip.c

Propchange: trunk/
------------------------------------------------------------------------------
--- branch-12-merged (original)
+++ branch-12-merged Tue Aug 27 12:35:20 2013
@@ -1,1 +1,1 @@
-/branches/12:1-397673,397690,397745
+/branches/12:1-397673,397690,397713,397745

Modified: trunk/channels/chan_sip.c
URL: http://svnview.digium.com/svn/asterisk/trunk/channels/chan_sip.c?view=diff&rev=397753&r1=397752&r2=397753
==============================================================================
--- trunk/channels/chan_sip.c (original)
+++ trunk/channels/chan_sip.c Tue Aug 27 12:35:20 2013
@@ -28167,7 +28167,7 @@
 			p->invitestate = INV_TERMINATED;
 			p->pendinginvite = 0;
 			acked = __sip_ack(p, seqno, 1 /* response */, 0);
-			if (find_sdp(req)) {
+			if (p->owner && find_sdp(req)) {
 				if (process_sdp(p, req, SDP_T38_NONE)) {
 					return -1;
 				}




More information about the asterisk-commits mailing list