[Pkg-voip-commits] [asterisk] 05/06: AST-2014-019.patch: fixes websocket issue

Tue Dec 16 11:08:38 UTC 2014

This is an automated email from the git hooks/post-receive script.

tzafrir pushed a commit to branch jessie
in repository asterisk.

commit 3e31c98cd7a151544020aa0e2a648ae7b0fa6867
Author: Tzafrir Cohen <tzafrir at debian.org>
Date:   Tue Dec 16 13:00:45 2014 +0200

    AST-2014-019.patch: fixes websocket issue
    
    Remote Crash Vulnerability in WebSocket Server (Closes: #773230).
---
 debian/changelog                  |  2 +
 debian/patches/AST-2014-019.patch | 99 +++++++++++++++++++++++++++++++++++++++
 debian/patches/series             |  1 +
 3 files changed, 102 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 93da007..df0b7f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ asterisk (1:11.13.1~dfsg-2) unstable; urgency=medium
     - AST-2014-014: High call load may result in hung channels in ConfBridge
     - AST-2014-017: Mark CONFBRIDGE as a sensitive function for external APIs
     - AST-2014-018: Mark DB as a sensitive function for external APIs
+  * AST-2014-019.patch (CVE-2014-9374): Remote Crash Vulnerability in
+    WebSocket Server (Closes: #773230).
   * sanity check to avoid changing the ABI hash
 
  -- Tzafrir Cohen <tzafrir at debian.org>  Wed, 10 Dec 2014 06:44:45 +0200
diff --git a/debian/patches/AST-2014-019.patch b/debian/patches/AST-2014-019.patch
new file mode 100644
index 0000000..0e3e696
--- /dev/null
+++ b/debian/patches/AST-2014-019.patch
@@ -0,0 +1,99 @@
+From 029aa170547847860608f194f1040bdf8f910460 Mon Sep 17 00:00:00 2001
+From: Joshua Colp <jcolp at digium.com>
+Date: Wed, 10 Dec 2014 13:30:22 +0000
+Subject: Remote Crash Vulnerability in WebSocket Server
+CVE: CVE-2014-9374
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=429270
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-24472
+
+Frames with a payload length of 0 were incorrectly handled in
+res_http_websocket. Provided a frame with a payload had been received
+prior it was possible for a double free to occur. The realloc operation
+would succeed (thus freeing the payload) but be treated as an error.
+When the session was then torn down the payload would be freed again
+causing a crash. The read function now takes this into account.
+
+This change also fixes assumptions made by users of res_http_websocket.
+There is no guarantee that a frame received from it will be NULL
+terminated.
+
+In the default configuration, the websocket server is not used.
+
+Review: https://reviewboard.asterisk.org/r/4220/
+Review: https://reviewboard.asterisk.org/r/4219/
+See Also: http://downloads.asterisk.org/pub/security/AST-2014-019.html
+---
+ channels/chan_sip.c      |  6 +++++-
+ res/res_http_websocket.c | 27 ++++++++++++++++-----------
+ 2 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/channels/chan_sip.c b/channels/chan_sip.c
+index 8ac9aae..5c6a8437 100644
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -2596,12 +2596,16 @@ static void sip_websocket_callback(struct ast_websocket *session, struct ast_var
+ 
+ 		if (opcode == AST_WEBSOCKET_OPCODE_TEXT || opcode == AST_WEBSOCKET_OPCODE_BINARY) {
+ 			struct sip_request req = { 0, };
++			char data[payload_len + 1];
+ 
+ 			if (!(req.data = ast_str_create(payload_len + 1))) {
+ 				goto end;
+ 			}
+ 
+-			if (ast_str_set(&req.data, -1, "%s", payload) == AST_DYNSTR_BUILD_FAILED) {
++			strncpy(data, payload, payload_len);
++			data[payload_len] = '\0';
++
++			if (ast_str_set(&req.data, -1, "%s", data) == AST_DYNSTR_BUILD_FAILED) {
+ 				deinit_req(&req);
+ 				goto end;
+ 			}
+diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c
+index 5258a5f..81fa83d 100644
+--- a/res/res_http_websocket.c
++++ b/res/res_http_websocket.c
+@@ -462,14 +462,6 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
+ 			}
+ 		}
+ 
+-		if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
+-			ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",
+-				session->payload, session->payload_len, *payload_len);
+-			*payload_len = 0;
+-			ast_websocket_close(session, 1009);
+-			return 0;
+-		}
+-
+ 		/* Per the RFC for PING we need to send back an opcode with the application data as received */
+ 		if ((*opcode == AST_WEBSOCKET_OPCODE_PING) && (ast_websocket_write(session, AST_WEBSOCKET_OPCODE_PONG, *payload, *payload_len))) {
+ 			*payload_len = 0;
+@@ -477,9 +469,22 @@ int AST_OPTIONAL_API_NAME(ast_websocket_read)(struct ast_websocket *session, cha
+ 			return 0;
+ 		}
+ 
+-		session->payload = new_payload;
+-		memcpy((session->payload + session->payload_len), (*payload), (*payload_len));
+-		session->payload_len += *payload_len;
++		if (*payload_len) {
++			if (!(new_payload = ast_realloc(session->payload, (session->payload_len + *payload_len)))) {
++				ast_log(LOG_WARNING, "Failed allocation: %p, %zu, %"PRIu64"\n",
++					session->payload, session->payload_len, *payload_len);
++				*payload_len = 0;
++				ast_websocket_close(session, 1009);
++				return 0;
++			}
++
++			session->payload = new_payload;
++			memcpy((session->payload + session->payload_len), (*payload), (*payload_len));
++			session->payload_len += *payload_len;
++		} else if (!session->payload_len && session->payload) {
++			ast_free(session->payload);
++			session->payload = NULL;
++		}
+ 
+ 		if (!fin && session->reconstruct && (session->payload_len < session->reconstruct)) {
+ 			/* If this is not a final message we need to defer returning it until later */
+-- 
+2.1.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 7257b80..ef501eb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -38,3 +38,4 @@ AST-2014-012.patch
 AST-2014-014.patch
 AST-2014-017.patch
 AST-2014-018.patch
+AST-2014-019.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

