[Pkg-voip-commits] [asterisk] 01/03: AST-2013-004: chan_sip: crash in ACK to SDP

tzafrir at debian.org tzafrir at debian.org
Thu Aug 29 14:36:33 UTC 2013 

This is an automated email from the git hooks/post-receive script.

tzafrir pushed a commit to branch squeeze
in repository asterisk.

commit 090cad9d3ccf9e04f74f8a00380db98784a769a5
Author: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
Date:   Wed Aug 28 20:36:48 2013 +0300

    AST-2013-004: chan_sip: crash in ACK to SDP
    
    Fix crash when handling ACK on dialog that has no channel
    A remote exploitable crash vulnerability exists in the SIP channel
    driver if an ACK with SDP is received after the channel has been
    terminated. The handling code incorrectly assumed that the channel would
    always be present.
    
    Conflicts:
    	debian/patches/series
---
 debian/patches/AST-2013-004 |   38 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series       |    1 +
 2 files changed, 39 insertions(+)

diff --git a/debian/patches/AST-2013-004 b/debian/patches/AST-2013-004
new file mode 100644
index 0000000..eba90c3
--- /dev/null
+++ b/debian/patches/AST-2013-004
@@ -0,0 +1,38 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Tue, 27 Aug 2013 15:49:14 +0000
+Subject: AST-2013-004: Fix crash when handling ACK on dialog that has no channel
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-21064
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=397710
+
+A remote exploitable crash vulnerability exists in the SIP channel driver if an
+ACK with SDP is received after the channel has been terminated. The handling
+code incorrectly assumed that the channel would always be present.
+
+This patch adds a check such that the SDP will only be parsed and applied if
+Asterisk has a channel present that is associated with the dialog.
+
+Note that the patch being applied was modified only slightly from the patch
+provided by Walter Doekes of OSSO B.V.
+
+Reported by: Colin Cuthbertson
+Tested by: wdoekes, Colin Cutherbertson
+patches:
+  issueA21064_fix.patch uploaded by wdoekes (License 5674)
+
+Backported to 1.8.13.1
+
+---
+ channels/chan_sip.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -25292,7 +25292,7 @@ static int handle_incoming(struct sip_pv
+ 			p->invitestate = INV_TERMINATED;
+ 			p->pendinginvite = 0;
+ 			acked = __sip_ack(p, seqno, 1 /* response */, 0);
+-			if (find_sdp(req)) {
++			if (p->owner && find_sdp(req)) {
+ 				if (process_sdp(p, req, SDP_T38_NONE))
+ 					return -1;
+ 			}
diff --git a/debian/patches/series b/debian/patches/series
index 086e80a..9a89018 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -62,3 +62,4 @@ AST-2012-013
 AST-2012-014
 AST-2012-015
 AST-2013-003
+AST-2013-004

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

More information about the Pkg-voip-commits mailing list