[Pkg-voip-commits] r10064 - in /asterisk/branches/squeeze/debian/patches: AST-2012-014 series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Sun Jan 6 22:37:07 UTC 2013 

Author: tzafrir
Date: Sun Jan  6 22:37:06 2013
New Revision: 10064

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=10064
Log:
AST-2012-014 for squeeze (Asterisk 1.6.2)

Patch AST-2012-014: don't read too much from a TCP stream. Fix based
on original fix by Upstream.

Added:
    asterisk/branches/squeeze/debian/patches/AST-2012-014
Modified:
    asterisk/branches/squeeze/debian/patches/series

Added: asterisk/branches/squeeze/debian/patches/AST-2012-014
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-014?rev=10064&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-014 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-014 Sun Jan  6 22:37:06 2013
@@ -1,0 +1,69 @@
+From: Tzafrir Cohen <tzafrir at debian.org>
+Subject: Resolve crashes due to large stack allocations when using TCP
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=378269
+CVE: CVE-2012-5976
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-20658
+
+This patch fixes similar issues to the above in Asterisk 1.6.2: both the
+chan_sip TCP code and HTTP server code included loops that accepted an
+unlimited ammount of input from an unauthenticated user before properly
+parsing them. This patch adds some limits to the ammount recieved from
+each such connection.
+
+See also: http://downloads.asterisk.org/pub/security/AST-2012-014.html
+
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -544,6 +544,7 @@ static int mwi_expiry = DEFAULT_MWI_EXPI
+ 
+ #define SIP_MAX_HEADERS              64               /*!< Max amount of SIP headers to read */
+ #define SIP_MAX_LINES                256              /*!< Max amount of lines in SIP attachment (like SDP) */
++#define SIP_MAX_PACKET_SIZE       20480  /*!< Max SIP packet size */
+ #define SIP_MIN_PACKET               4096             /*!< Initialize size of memory to allocate for packets */
+ #define MAX_HISTORY_ENTRIES 	     50	              /*!< Max entires in the history list for a sip_pvt */
+ 
+@@ -3078,7 +3079,7 @@ static void *_sip_tcp_helper_thread(stru
+ 			req.socket.fd = tcptls_session->fd;
+ 
+ 			/* Read in headers one line at a time */
+-			while (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4)) {
++			while ((req.len <= SIP_MAX_PACKET_SIZE) || (req.len < 4 || strncmp(REQ_OFFSET_TO_STR(&req, len - 4), "\r\n\r\n", 4))) {
+ 				if (!tcptls_session->client && !authenticated ) {
+ 					if ((timeout = sip_check_authtimeout(start)) < 0) {
+ 						goto cleanup;
+--- a/main/http.c
++++ b/main/http.c
+@@ -54,6 +54,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revisi
+ 
+ #define MAX_PREFIX 80
+ #define DEFAULT_SESSION_LIMIT 100
++#define MAX_HEAD_SIZE 8192
+ 
+ /* See http.h for more information about the SSL implementation */
+ #if defined(HAVE_OPENSSL) && (defined(HAVE_FUNOPEN) || defined(HAVE_FOPENCOOKIE))
+@@ -664,6 +665,7 @@ static void *httpd_helper_thread(void *d
+ {
+ 	char buf[4096];
+ 	char cookie[4096];
++	int header_len = 0;
+ 	struct ast_tcptls_session_instance *ser = data;
+ 	struct ast_variable *vars=NULL, *headers = NULL;
+ 	char *uri, *title=NULL;
+@@ -696,12 +698,15 @@ static void *httpd_helper_thread(void *d
+ 	}
+ 
+ 	/* process "Cookie: " lines */
+-	while (fgets(cookie, sizeof(cookie), ser->f)) {
++	while (header_len <= MAX_HEAD_SIZE && fgets(cookie, sizeof(cookie), ser->f)) {
++		int len;
+ 		/* Trim trailing characters */
+ 		ast_trim_blanks(cookie);
+-		if (ast_strlen_zero(cookie)) {
++		len = strlen(cookie); /* FIXME: not real length. Blanks removed */
++		if (len == 0) {
+ 			break;
+ 		}
++		header_len += len;
+ 		if (!strncasecmp(cookie, "Cookie: ", 8)) {
+ 			vars = parse_cookies(cookie);
+ 		} else {

Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=10064&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Sun Jan  6 22:37:06 2013
@@ -59,3 +59,5 @@
 AST-2012-010
 AST-2012-012
 AST-2012-013
+AST-2012-014
+AST-2012-015

More information about the Pkg-voip-commits mailing list