Summary: | ASTERISK-09050: [patch] SDP Header with invalid ip address in secondary "=c" line crashes Asterisk | ||
Reporter: | Markus Monka (mmonka) | Labels: | |
Date Opened: | 2007-03-20 03:44:39 | Date Closed: | 2007-03-20 09:03:32 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Core/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | After sending a crafted message the software crash abruptly. The message in this case is an INVITE where the SDP contains 2 connection headers. The first one must be valid and the second not where the IP address should be invalid. see also http://bugs.gentoo.org/show_bug.cgi?id=171467 i patched my 1.2.16 with http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58907&r2=59038 but the bug still exists. I also tested the problem on 1.4.1 ****** ADDITIONAL INFORMATION ****** Cli Output Connected to Asterisk SVN-1.2.16 currently running on gw18 (pid = 31159) Verbosity was 4 and is now 8 -- Remote UNIX connection Mar 20 10:31:54 WARNING[31165]: chan_sip.c:3669 process_sdp: Unable to lookup host in secondary c= line, 'IN IP4 x.25.12.134' gw18*CLI> Disconnected from Asterisk server Executing last minute cleanups GDB: Core was generated by `asterisk -vvvvddddddddgf'. Program terminated with signal 11, Segmentation fault. #0 process_sdp (p=0x81e5780, req=0xb7a5fb08) at chan_sip.c:3675 3675 memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); (gdb) bt #0 process_sdp (p=0x81e5780, req=0xb7a5fb08) at chan_sip.c:3675 #1 0xb7aaf9f6 in handle_request_invite (p=0x0, req=0x0, debug=0, ignore=0, seqno=102, sin=0xb7a60e90, recount=0xb7a60ea0, e=0xb7a5fd27 "sip:492113020330@gw02.dev.sipgate.net") at chan_sip.c:10690 #2 0xb7ab52ec in handle_request (p=0x81e5780, req=0xb7a5fb08, sin=0xb7a60e90, recount=0xb7a60ea0, nounlock=0xb7a60ea4) at chan_sip.c:11389 #3 0xb7ab7bec in sipsock_read (id=0x81642a0, fd=8, events=1, ignore=0x0) at chan_sip.c:11528 #4 0x08055ece in ast_io_wait (ioc=0x8163dd0, howlong=1000) at io.c:284 ASTERISK-1 0xb7a9c96f in do_monitor (data=0x0) at chan_sip.c:11697 ASTERISK-2 0xb7ef9240 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 ASTERISK-3 0xb7dd53de in clone () from /lib/tls/i686/cmov/libc.so.6 asterisk: SVN-1.2.16 Kernel: 2.6.18-3-686 Debian | ||
Comments: | By: Markus Monka (mmonka) 2007-03-20 04:24:03 this small patch prevents asterisk to crash. Result is "488 Not acceptable here" --- channels/chan_sip.c (revision 57290) +++ channels/chan_sip.c (working copy) @@ -3661,6 +3661,7 @@ hp = ast_gethostbyname(host, &ahp); if (!hp) { ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c); + return -2; } } } @@ -3687,6 +3688,7 @@ hp = ast_gethostbyname(host, &ahp); if (!hp) { ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c); + return -2; } } } By: Serge Vecher (serge-v) 2007-03-20 09:02:49 upon further research, this has already been fixed in 1.2 branch revision 58579 and is part of 1.2.17 release (1.4.2 release for 1.4 branch). Thanks. By: Serge Vecher (serge-v) 2007-03-20 09:03:32 please note that the committed patch is a bit more extensive than the one you've provided. |