Summary: | ASTERISK-09807: DoS (as a crash or not) when the Call-Id: of successive SUBSCRIBE packets is identical + Authentication | ||
Reporter: | Corentin Le Gall (clegall_proformatique) | Labels: | |
Date Opened: | 2007-07-05 12:11:22 | Date Closed: | 2007-08-09 10:34:30 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/Subscriptions |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) sip_debug_subscribe_auth.txt | |
Description: | This happens on Asterisk versions 1.2.18, 1.2.19 and 1.2.20. Not in Asterisk 1.4. Let's consider a SIP account used as a watcher that SUBSCRIBEs with an application/pidf+xml feature. If : - this watcher account has a password defined ("secret" field in sip.conf) - the successive SUBSCRIBE packets are sent with the SAME "Call-Id" field Once 2 (or more) such SUBSCRIBE packets have been sent, then sooner or later the Asterisk application will be unavailable, either : - it will crash (segfault) - no more SIP call will be issued Issuing SIP calls meanwhile will speed up this happening. Maybe this is related to 0009836 ? ****** ADDITIONAL INFORMATION ****** When receiving such SUBSCRIBE packets, the callback list "statecbs" in pbx.c is filled with more and more items, all of which refer to a different id (cblist->id), but refer to the same data (cblist->data). Then, when the registration reaches its time delay, the ast_extension_state_del() function removes only the first item of the list (one can monitor the list of hints by adding an output in ast_hint_state_changed()). pbx.c:1921 ast_hint_state_changed: cblist/cblist->data/cblist->id = 0x0813ceb8 0x081cbc20 85 pbx.c:1921 ast_hint_state_changed: cblist/cblist->data/cblist->id = 0x0819b4f8 0x081cbc20 83 pbx.c:1921 ast_hint_state_changed: cblist/cblist->data/cblist->id = 0x0818a0c8 0x081cbc20 81 pbx.c:1921 ast_hint_state_changed: cblist/cblist->data/cblist->id = 0x08148080 0x081cbc20 79 ... So there remains pointers to a memory zone that might have been freed, and the next SIP calls are ready to segfault. This is what I suspect. I guess more experienced people on this piece of code will know better where to look at. | ||
Comments: | By: Digium Subversion (svnbot) 2007-07-06 17:44:43 Repository: asterisk Revision: 73768 ------------------------------------------------------------------------ r73768 | russell | 2007-07-06 17:44:42 -0500 (Fri, 06 Jul 2007) | 4 lines If a sip_pvt struct has already registered an extension state callback, remove the old one before adding a new one. If this isn't done, Asterisk will crash. (issue ASTERISK-9807) ------------------------------------------------------------------------ By: Digium Subversion (svnbot) 2007-07-06 17:46:18 Repository: asterisk Revision: 73769 ------------------------------------------------------------------------ r73769 | russell | 2007-07-06 17:46:18 -0500 (Fri, 06 Jul 2007) | 12 lines Merged revisions 73768 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.2 ........ r73768 | russell | 2007-07-06 18:01:22 -0500 (Fri, 06 Jul 2007) | 4 lines If a sip_pvt struct has already registered an extension state callback, remove the old one before adding a new one. If this isn't done, Asterisk will crash. (issue ASTERISK-9807) ........ ------------------------------------------------------------------------ By: Digium Subversion (svnbot) 2007-07-06 17:48:44 Repository: asterisk Revision: 73771 ------------------------------------------------------------------------ r73771 | russell | 2007-07-06 17:48:43 -0500 (Fri, 06 Jul 2007) | 20 lines Merged revisions 73769 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ................ r73769 | russell | 2007-07-06 18:02:58 -0500 (Fri, 06 Jul 2007) | 12 lines Merged revisions 73768 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.2 ........ r73768 | russell | 2007-07-06 18:01:22 -0500 (Fri, 06 Jul 2007) | 4 lines If a sip_pvt struct has already registered an extension state callback, remove the old one before adding a new one. If this isn't done, Asterisk will crash. (issue ASTERISK-9807) ........ ................ ------------------------------------------------------------------------ By: Russell Bryant (russell) 2007-07-06 17:49:38 Can you give the latest code in the 1.2 branch another try after those commits I just made? By: Olle Johansson (oej) 2007-07-08 04:18:52 Can we get a SIP debug? I need to check these subsequent subscribes, the renewals. Thank you. By: Corentin Le Gall (clegall_proformatique) 2007-07-09 03:15:39 russell : these last revisions look OK. more than 600 SIP calls succeded on the line. oej : do you want a SIP debug for the failing or for the succeeding version ? By: Olle Johansson (oej) 2007-07-09 04:14:07 I want a SIP debug for the failing version, thanks. I need to understand what happens to assess the patch and see if there's something else that needs to be done. By: Russell Bryant (russell) 2007-07-18 20:37:34 clegall_proformatique: Can you please provide that SIP trace so that we can close out the issue? Thank you ... By: Corentin Le Gall (clegall_proformatique) 2007-07-19 02:44:03 russell, oej : It might not be the trace you request, but I did post this file a while ago : 07-09-07 12:56 clegall_proformatique File Added: sip_debug_subscribe_auth.txt Please tell me what's missing, thanks. By: Russell Bryant (russell) 2007-07-19 09:32:22 I'm sorry, I didn't notice that you uploaded it since you didn't add a note when you uploaded it. Oops. :) By: Russell Bryant (russell) 2007-08-09 10:34:30 Closing as fixed |