Summary:	ASTERISK-09050: [patch] SDP Header with invalid ip address in secondary "=c" line crashes Asterisk
Reporter:	Markus Monka (mmonka)	Labels:
Date Opened:	2007-03-20 03:44:39	Date Closed:	2007-03-20 09:03:32
Priority:	Critical	Regression?	No
Status:	Closed/Complete	Components:	Core/General
Versions:		Frequency of Occurrence
Related Issues:
Environment:		Attachments:
Description:	After sending a crafted message the software crash abruptly. The message in this case is an INVITE where the  SDP contains 2 connection headers. The first one must be valid and the  second not where the IP address should be invalid. see also http://bugs.gentoo.org/show_bug.cgi?id=171467 i patched my 1.2.16 with http://svn.digium.com/view/asterisk/trunk/channels/chan_sip.c?r1=58907&r2=59038 but the bug still exists. I also tested the problem on 1.4.1 ****** ADDITIONAL INFORMATION ****** Cli Output Connected to Asterisk SVN-1.2.16 currently running on gw18 (pid = 31159) Verbosity was 4 and is now 8    -- Remote UNIX connection Mar 20 10:31:54 WARNING[31165]: chan_sip.c:3669 process_sdp: Unable to lookup host in secondary c= line, 'IN IP4 x.25.12.134' gw18*CLI> Disconnected from Asterisk server Executing last minute cleanups GDB: Core was generated by `asterisk -vvvvddddddddgf'. Program terminated with signal 11, Segmentation fault. #0  process_sdp (p=0x81e5780, req=0xb7a5fb08) at chan_sip.c:3675 3675            memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); (gdb) bt #0  process_sdp (p=0x81e5780, req=0xb7a5fb08) at chan_sip.c:3675 #1  0xb7aaf9f6 in handle_request_invite (p=0x0, req=0x0, debug=0, ignore=0, seqno=102, sin=0xb7a60e90, recount=0xb7a60ea0, e=0xb7a5fd27 "sip:492113020330@gw02.dev.sipgate.net")    at chan_sip.c:10690 #2  0xb7ab52ec in handle_request (p=0x81e5780, req=0xb7a5fb08, sin=0xb7a60e90, recount=0xb7a60ea0, nounlock=0xb7a60ea4) at chan_sip.c:11389 #3  0xb7ab7bec in sipsock_read (id=0x81642a0, fd=8, events=1, ignore=0x0) at chan_sip.c:11528 #4  0x08055ece in ast_io_wait (ioc=0x8163dd0, howlong=1000) at io.c:284 ASTERISK-1  0xb7a9c96f in do_monitor (data=0x0) at chan_sip.c:11697 ASTERISK-2  0xb7ef9240 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0 ASTERISK-3  0xb7dd53de in clone () from /lib/tls/i686/cmov/libc.so.6 asterisk: SVN-1.2.16 Kernel: 2.6.18-3-686 Debian
Comments:	By: Markus Monka (mmonka) 2007-03-20 04:24:03 this small patch prevents asterisk to crash. Result is "488 Not acceptable here" --- channels/chan_sip.c (revision 57290) +++ channels/chan_sip.c (working copy) @@ -3661,6 +3661,7 @@                        hp = ast_gethostbyname(host, &ahp);                        if (!hp) {                                ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c); +                               return -2;                        }                }        } @@ -3687,6 +3688,7 @@                        hp = ast_gethostbyname(host, &ahp);                        if (!hp) {                                ast_log(LOG_WARNING, "Unable to lookup host in secondary c= line, '%s'\n", c); +                               return -2;                        }                }        } By: Serge Vecher (serge-v) 2007-03-20 09:02:49 upon further research, this has already been fixed in 1.2 branch revision 58579 and is part of 1.2.17 release (1.4.2 release for 1.4 branch). Thanks. By: Serge Vecher (serge-v) 2007-03-20 09:03:32 please note that the committed patch is a bit more extensive than the one you've provided.