Summary:ASTERISK-09050: [patch] SDP Header with invalid ip address in secondary "=c" line crashes Asterisk
Reporter:Markus Monka (mmonka)Labels:
Date Opened:2007-03-20 03:44:39Date Closed:2007-03-20 09:03:32
Versions:Frequency of
Description:After sending a crafted message the software crash abruptly. The message in this case is an INVITE where the  SDP contains 2 connection headers. The first one must be valid and the  second not where the IP address should be invalid.

see also http://bugs.gentoo.org/show_bug.cgi?id=171467

i patched my 1.2.16 with


but the bug still exists. I also tested the problem on 1.4.1


Cli Output

Connected to Asterisk SVN-1.2.16 currently running on gw18 (pid = 31159)
Verbosity was 4 and is now 8
   -- Remote UNIX connection
Mar 20 10:31:54 WARNING[31165]: chan_sip.c:3669 process_sdp: Unable to lookup host in secondary c= line, 'IN IP4 x.25.12.134'
Disconnected from Asterisk server
Executing last minute cleanups


Core was generated by `asterisk -vvvvddddddddgf'.
Program terminated with signal 11, Segmentation fault.
#0  process_sdp (p=0x81e5780, req=0xb7a5fb08) at chan_sip.c:3675
3675            memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));
(gdb) bt
#0  process_sdp (p=0x81e5780, req=0xb7a5fb08) at chan_sip.c:3675
#1  0xb7aaf9f6 in handle_request_invite (p=0x0, req=0x0, debug=0, ignore=0, seqno=102, sin=0xb7a60e90, recount=0xb7a60ea0, e=0xb7a5fd27 "sip:492113020330@gw02.dev.sipgate.net")
   at chan_sip.c:10690
#2  0xb7ab52ec in handle_request (p=0x81e5780, req=0xb7a5fb08, sin=0xb7a60e90, recount=0xb7a60ea0, nounlock=0xb7a60ea4) at chan_sip.c:11389
#3  0xb7ab7bec in sipsock_read (id=0x81642a0, fd=8, events=1, ignore=0x0) at chan_sip.c:11528
#4  0x08055ece in ast_io_wait (ioc=0x8163dd0, howlong=1000) at io.c:284
ASTERISK-1  0xb7a9c96f in do_monitor (data=0x0) at chan_sip.c:11697
ASTERISK-2  0xb7ef9240 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
ASTERISK-3  0xb7dd53de in clone () from /lib/tls/i686/cmov/libc.so.6

asterisk: SVN-1.2.16
Kernel: 2.6.18-3-686 Debian
Comments:By: Markus Monka (mmonka) 2007-03-20 04:24:03

this small patch prevents asterisk to crash. Result is "488 Not acceptable here"

--- channels/chan_sip.c (revision 57290)
+++ channels/chan_sip.c (working copy)
@@ -3661,6 +3661,7 @@
                       hp = ast_gethostbyname(host, &ahp);
                       if (!hp) {
                               ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c);
+                               return -2;
@@ -3687,6 +3688,7 @@
                       hp = ast_gethostbyname(host, &ahp);
                       if (!hp) {
                               ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c);
+                               return -2;

By: Serge Vecher (serge-v) 2007-03-20 09:02:49

upon further research, this has already been fixed in 1.2 branch revision 58579 and is part of 1.2.17 release (1.4.2 release for 1.4 branch). Thanks.

By: Serge Vecher (serge-v) 2007-03-20 09:03:32

please note that the committed patch is a bit more extensive than the one you've provided.