[asterisk-commits] AST-2016-002 chan sip.c: Fix retransmission timeout integer ... (asterisk[11.21])

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Wed Feb 3 15:17:04 CST 2016


Kevin Harwell has submitted this change and it was merged.

Change subject: AST-2016-002 chan_sip.c: Fix retransmission timeout integer overflow.
......................................................................


AST-2016-002 chan_sip.c: Fix retransmission timeout integer overflow.

Setting the sip.conf timert1 value to a value higher than 1245 can cause
an integer overflow and result in large retransmit timeout times.  These
large timeout times hold system file descriptors hostage and can cause the
system to run out of file descriptors.

NOTE: The default sip.conf timert1 value is 500 which does not expose the
vulnerability.

* The overflow is now detected and the previous timeout time is
calculated.

ASTERISK-25397 #close
Reported by: Alexander Traud

Change-Id: Ia7231f2f415af1cbf90b923e001b9219cff46290
---
M channels/chan_sip.c
1 file changed, 7 insertions(+), 0 deletions(-)

Approvals:
  Kevin Harwell: Looks good to me, approved; Verified



diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 4e76844..f8a99c3 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -3980,6 +3980,13 @@
 			}
 
 			/* For non-invites, a maximum of 4 secs */
+			if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
+				/*
+				 * Uh Oh, we will have an integer overflow.
+				 * Recalculate previous timeout time instead.
+				 */
+				pkt->timer_a = pkt->timer_a / 2;
+			}
 			siptimer_a = pkt->timer_t1 * pkt->timer_a;	/* Double each time */
 			if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
 				siptimer_a = 4000;

-- 
To view, visit https://gerrit.asterisk.org/2186
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ia7231f2f415af1cbf90b923e001b9219cff46290
Gerrit-PatchSet: 2
Gerrit-Project: asterisk
Gerrit-Branch: 11.21
Gerrit-Owner: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Kevin Harwell <kharwell at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>



More information about the asterisk-commits mailing list