[Pkg-voip-commits] [asterisk] 01/01: AST-2014-001: issue with the httpd

Wed Mar 12 21:02:37 UTC 2014

This is an automated email from the git hooks/post-receive script.

tzafrir pushed a commit to branch wheezy
in repository asterisk.

commit 696f423ee4b03b141bd7a977235bac7e3998d022
Author: Tzafrir Cohen <tzafrir at debian.org>
Date:   Wed Mar 12 22:51:40 2014 +0200

    AST-2014-001: issue with the httpd
---
 debian/changelog            |   7 +++
 debian/patches/AST-2014-001 | 149 ++++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series       |   1 +
 3 files changed, 157 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3031c28..782bafc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+asterisk (1:1.8.13.1~dfsg1-3+deb7u4) UNRELEASED; urgency=low
+
+  * Patch AST-2014-001 (CVE-2014-2286) - Stack overflow in HTTP processing
+    of Cookie headers.
+
+ -- Tzafrir Cohen <tzafrir at debian.org>  Wed, 12 Mar 2014 22:50:01 +0200
+
 asterisk (1:1.8.13.1~dfsg1-3+deb7u3) stable-security; urgency=high
 
   * Bumped repackages tarball number: security and main had different copies
diff --git a/debian/patches/AST-2014-001 b/debian/patches/AST-2014-001
new file mode 100644
index 0000000..696d4bb
--- /dev/null
+++ b/debian/patches/AST-2014-001
@@ -0,0 +1,149 @@
+From: Richard Mudgett <rmudgett at digium.com>
+Date: Mon, 10 Mar 2014 17:00:32 +0000
+Subject: AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=410380
+CVE: CVE-2014-2286
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-23340
+
+Sending a HTTP request that is handled by Asterisk with a large number of
+Cookie headers could overflow the stack.
+
+Another vulnerability along similar lines is any HTTP request with a
+ridiculous number of headers in the request could exhaust system memory.
+
+Reported by: Lucas Molas, researcher at Programa STIC, Fundacion; and
+  Dr. Manuel Sadosky, Buenos Aires, Argentina
+
+---
+ main/http.c |   51 +++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 31 insertions(+), 20 deletions(-)
+
+diff --git a/main/http.c b/main/http.c
+index 882da72..22d584f 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -187,9 +187,7 @@ uint32_t ast_http_manid_from_vars(struct ast_variable *headers)
+ 			break;
+ 		}
+ 	}
+-	if (cookies) {
+-		ast_variables_destroy(cookies);
+-	}
++	ast_variables_destroy(cookies);
+ 	return mngid;
+ }
+ 
+@@ -824,12 +822,13 @@ static int ssl_close(void *cookie)
+ }*/
+ #endif	/* DO_SSL */
+ 
+-static struct ast_variable *parse_cookies(char *cookies)
++static struct ast_variable *parse_cookies(const char *cookies)
+ {
++	char *parse = ast_strdupa(cookies);
+ 	char *cur;
+ 	struct ast_variable *vars = NULL, *var;
+ 
+-	while ((cur = strsep(&cookies, ";"))) {
++	while ((cur = strsep(&parse, ";"))) {
+ 		char *name, *val;
+ 
+ 		name = val = cur;
+@@ -859,21 +858,19 @@ static struct ast_variable *parse_cookies(char *cookies)
+ /* get cookie from Request headers */
+ struct ast_variable *ast_http_get_cookies(struct ast_variable *headers)
+ {
+-	struct ast_variable *v, *cookies=NULL;
++	struct ast_variable *v, *cookies = NULL;
+ 
+ 	for (v = headers; v; v = v->next) {
+ 		if (!strncasecmp(v->name, "Cookie", 6)) {
+-			char *tmp = ast_strdupa(v->value);
+-			if (cookies) {
+-				ast_variables_destroy(cookies);
+-			}
+-
+-			cookies = parse_cookies(tmp);
++			ast_variables_destroy(cookies);
++			cookies = parse_cookies(v->value);
+ 		}
+ 	}
+ 	return cookies;
+ }
+ 
++/*! Limit the number of request headers in case the sender is being ridiculous. */
++#define MAX_HTTP_REQUEST_HEADERS	100
+ 
+ static void *httpd_helper_thread(void *data)
+ {
+@@ -884,6 +881,7 @@ static void *httpd_helper_thread(void *data)
+ 	struct ast_variable *tail = headers;
+ 	char *uri, *method;
+ 	enum ast_http_method http_method = AST_HTTP_UNKNOWN;
++	int remaining_headers;
+ 
+ 	if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
+ 		goto done;
+@@ -918,9 +916,13 @@ static void *httpd_helper_thread(void *data)
+ 		if (*c) {
+ 			*c = '\0';
+ 		}
++	} else {
++		ast_http_error(ser, 400, "Bad Request", "Invalid Request");
++		goto done;
+ 	}
+ 
+ 	/* process "Request Headers" lines */
++	remaining_headers = MAX_HTTP_REQUEST_HEADERS;
+ 	while (fgets(header_line, sizeof(header_line), ser->f)) {
+ 		char *name, *value;
+ 
+@@ -943,6 +945,11 @@ static void *httpd_helper_thread(void *data)
+ 
+ 		ast_trim_blanks(name);
+ 
++		if (!remaining_headers--) {
++			/* Too many headers. */
++			ast_http_error(ser, 413, "Request Entity Too Large", "Too many headers");
++			goto done;
++		}
+ 		if (!headers) {
+ 			headers = ast_variable_new(name, value, __FILE__);
+ 			tail = headers;
+@@ -950,11 +957,17 @@ static void *httpd_helper_thread(void *data)
+ 			tail->next = ast_variable_new(name, value, __FILE__);
+ 			tail = tail->next;
+ 		}
+-	}
+-
+-	if (!*uri) {
+-		ast_http_error(ser, 400, "Bad Request", "Invalid Request");
+-		goto done;
++		if (!tail) {
++			/*
++			 * Variable allocation failure.
++			 * Try to make some room.
++			 */
++			ast_variables_destroy(headers);
++			headers = NULL;
++
++			ast_http_error(ser, 500, "Server Error", "Out of memory");
++			goto done;
++		}
+ 	}
+ 
+ 	handle_uri(ser, uri, http_method, headers);
+@@ -963,9 +976,7 @@ done:
+ 	ast_atomic_fetchadd_int(&session_count, -1);
+ 
+ 	/* clean up all the header information */
+-	if (headers) {
+-		ast_variables_destroy(headers);
+-	}
++	ast_variables_destroy(headers);
+ 
+ 	if (ser->f) {
+ 		fclose(ser->f);
+-- 
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 2d21bde..1922f76 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,3 +39,4 @@ AST-2013-005
 AST-2013-006
 ASTERISK-20658
 AST-2013-007
+AST-2014-001

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git

