[asterisk-commits] kharwell: trunk r415813 - in /trunk: ./ res/res_pjsip_pubsub.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu Jun 12 09:39:32 CDT 2014 

Author: kharwell
Date: Thu Jun 12 09:39:29 2014
New Revision: 415813

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=415813
Log:
res_pjsip_pubsub: unauthenticated remote crash in PJSIP pub/sub framework

A remotely exploitable crash vulnerability exists in the PJSIP channel driver's
pub/sub framework. If an attempt is made to unsubscribe when not currently
subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries
to create an expiration timer with zero seconds, which is not allowed, so an
assertion raised.

The fix was to reject a subscription that is attempting to unsubscribe when not
being already subscribed.  Asterisk now checks for this situation appropriately
and responds with a 400 instead of crashing.

AST-2014-005

ASTERISK-23489 #close
........

Merged revisions 415812 from http://svn.asterisk.org/svn/asterisk/branches/12

Modified:
    trunk/   (props changed)
    trunk/res/res_pjsip_pubsub.c

Propchange: trunk/
------------------------------------------------------------------------------
Binary property 'branch-12-merged' - no diff available.

Modified: trunk/res/res_pjsip_pubsub.c
URL: http://svnview.digium.com/svn/asterisk/trunk/res/res_pjsip_pubsub.c?view=diff&rev=415813&r1=415812&r2=415813
==============================================================================
--- trunk/res/res_pjsip_pubsub.c (original)
+++ trunk/res/res_pjsip_pubsub.c Thu Jun 12 09:39:29 2014
@@ -1129,12 +1129,20 @@
 
 	expires_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_EXPIRES, rdata->msg_info.msg->hdr.next);
 
-	if (expires_header && expires_header->ivalue < endpoint->subscription.minexpiry) {
-		ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %u\n",
+	if (expires_header) {
+		if (expires_header->ivalue == 0) {
+			ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n",
+				ast_sorcery_object_get_id(endpoint));
+			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400, NULL, NULL, NULL);
+				return PJ_TRUE;
+		}
+		if (expires_header->ivalue < endpoint->subscription.minexpiry) {
+			ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %d\n",
 				expires_header->ivalue, ast_sorcery_object_get_id(endpoint), endpoint->subscription.minexpiry);
-		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
-		return PJ_TRUE;
-	}
+			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
+			return PJ_TRUE;
+		}
+        }
 
 	handler = subscription_get_handler_from_rdata(rdata);
 	if (!handler) {

More information about the asterisk-commits mailing list