[Pkg-voip-commits] [asterisk] 01/01: AST-2014-001: issue with the httpd
tzafrir at debian.org
tzafrir at debian.org
Wed Mar 12 21:02:37 UTC 2014
This is an automated email from the git hooks/post-receive script.
tzafrir pushed a commit to branch wheezy
in repository asterisk.
commit 696f423ee4b03b141bd7a977235bac7e3998d022
Author: Tzafrir Cohen <tzafrir at debian.org>
Date: Wed Mar 12 22:51:40 2014 +0200
AST-2014-001: issue with the httpd
---
debian/changelog | 7 +++
debian/patches/AST-2014-001 | 149 ++++++++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 157 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3031c28..782bafc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+asterisk (1:1.8.13.1~dfsg1-3+deb7u4) UNRELEASED; urgency=low
+
+ * Patch AST-2014-001 (CVE-2014-2286) - Stack overflow in HTTP processing
+ of Cookie headers.
+
+ -- Tzafrir Cohen <tzafrir at debian.org> Wed, 12 Mar 2014 22:50:01 +0200
+
asterisk (1:1.8.13.1~dfsg1-3+deb7u3) stable-security; urgency=high
* Bumped repackages tarball number: security and main had different copies
diff --git a/debian/patches/AST-2014-001 b/debian/patches/AST-2014-001
new file mode 100644
index 0000000..696d4bb
--- /dev/null
+++ b/debian/patches/AST-2014-001
@@ -0,0 +1,149 @@
+From: Richard Mudgett <rmudgett at digium.com>
+Date: Mon, 10 Mar 2014 17:00:32 +0000
+Subject: AST-2014-001: Stack overflow in HTTP processing of Cookie headers.
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=410380
+CVE: CVE-2014-2286
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-23340
+
+Sending a HTTP request that is handled by Asterisk with a large number of
+Cookie headers could overflow the stack.
+
+Another vulnerability along similar lines is any HTTP request with a
+ridiculous number of headers in the request could exhaust system memory.
+
+Reported by: Lucas Molas, researcher at Programa STIC, Fundacion; and
+ Dr. Manuel Sadosky, Buenos Aires, Argentina
+
+---
+ main/http.c | 51 +++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 31 insertions(+), 20 deletions(-)
+
+diff --git a/main/http.c b/main/http.c
+index 882da72..22d584f 100644
+--- a/main/http.c
++++ b/main/http.c
+@@ -187,9 +187,7 @@ uint32_t ast_http_manid_from_vars(struct ast_variable *headers)
+ break;
+ }
+ }
+- if (cookies) {
+- ast_variables_destroy(cookies);
+- }
++ ast_variables_destroy(cookies);
+ return mngid;
+ }
+
+@@ -824,12 +822,13 @@ static int ssl_close(void *cookie)
+ }*/
+ #endif /* DO_SSL */
+
+-static struct ast_variable *parse_cookies(char *cookies)
++static struct ast_variable *parse_cookies(const char *cookies)
+ {
++ char *parse = ast_strdupa(cookies);
+ char *cur;
+ struct ast_variable *vars = NULL, *var;
+
+- while ((cur = strsep(&cookies, ";"))) {
++ while ((cur = strsep(&parse, ";"))) {
+ char *name, *val;
+
+ name = val = cur;
+@@ -859,21 +858,19 @@ static struct ast_variable *parse_cookies(char *cookies)
+ /* get cookie from Request headers */
+ struct ast_variable *ast_http_get_cookies(struct ast_variable *headers)
+ {
+- struct ast_variable *v, *cookies=NULL;
++ struct ast_variable *v, *cookies = NULL;
+
+ for (v = headers; v; v = v->next) {
+ if (!strncasecmp(v->name, "Cookie", 6)) {
+- char *tmp = ast_strdupa(v->value);
+- if (cookies) {
+- ast_variables_destroy(cookies);
+- }
+-
+- cookies = parse_cookies(tmp);
++ ast_variables_destroy(cookies);
++ cookies = parse_cookies(v->value);
+ }
+ }
+ return cookies;
+ }
+
++/*! Limit the number of request headers in case the sender is being ridiculous. */
++#define MAX_HTTP_REQUEST_HEADERS 100
+
+ static void *httpd_helper_thread(void *data)
+ {
+@@ -884,6 +881,7 @@ static void *httpd_helper_thread(void *data)
+ struct ast_variable *tail = headers;
+ char *uri, *method;
+ enum ast_http_method http_method = AST_HTTP_UNKNOWN;
++ int remaining_headers;
+
+ if (ast_atomic_fetchadd_int(&session_count, +1) >= session_limit) {
+ goto done;
+@@ -918,9 +916,13 @@ static void *httpd_helper_thread(void *data)
+ if (*c) {
+ *c = '\0';
+ }
++ } else {
++ ast_http_error(ser, 400, "Bad Request", "Invalid Request");
++ goto done;
+ }
+
+ /* process "Request Headers" lines */
++ remaining_headers = MAX_HTTP_REQUEST_HEADERS;
+ while (fgets(header_line, sizeof(header_line), ser->f)) {
+ char *name, *value;
+
+@@ -943,6 +945,11 @@ static void *httpd_helper_thread(void *data)
+
+ ast_trim_blanks(name);
+
++ if (!remaining_headers--) {
++ /* Too many headers. */
++ ast_http_error(ser, 413, "Request Entity Too Large", "Too many headers");
++ goto done;
++ }
+ if (!headers) {
+ headers = ast_variable_new(name, value, __FILE__);
+ tail = headers;
+@@ -950,11 +957,17 @@ static void *httpd_helper_thread(void *data)
+ tail->next = ast_variable_new(name, value, __FILE__);
+ tail = tail->next;
+ }
+- }
+-
+- if (!*uri) {
+- ast_http_error(ser, 400, "Bad Request", "Invalid Request");
+- goto done;
++ if (!tail) {
++ /*
++ * Variable allocation failure.
++ * Try to make some room.
++ */
++ ast_variables_destroy(headers);
++ headers = NULL;
++
++ ast_http_error(ser, 500, "Server Error", "Out of memory");
++ goto done;
++ }
+ }
+
+ handle_uri(ser, uri, http_method, headers);
+@@ -963,9 +976,7 @@ done:
+ ast_atomic_fetchadd_int(&session_count, -1);
+
+ /* clean up all the header information */
+- if (headers) {
+- ast_variables_destroy(headers);
+- }
++ ast_variables_destroy(headers);
+
+ if (ser->f) {
+ fclose(ser->f);
+--
+1.7.10.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 2d21bde..1922f76 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,3 +39,4 @@ AST-2013-005
AST-2013-006
ASTERISK-20658
AST-2013-007
+AST-2014-001
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git
More information about the Pkg-voip-commits
mailing list