| Summary: | ASTERISK-16184: [patch] crash when From header URI misses "sip:" | ||
| Reporter: | klaus3000 (klaus3000) | Labels: | |
| Date Opened: | 2010-06-01 09:57:02 | Date Closed: | 2010-06-21 15:46:23 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) sip_crash | |
| Description: | <--- SIP read from UDP:88.198.53.113:5060 ---> INVITE sip:01505641636@83.136.32.165 SIP/2.0 Record-Route: <sip:88.198.53.113;lr=on> Via: SIP/2.0/UDP 88.198.53.113;branch=z9hG4bKfe63.5c00b695.0 Via: SIP/2.0/UDP 10.10.0.51:17681;received=83.136.33.3;branch=z9hG4bK-d8754z-22352963c346652c-1---d8754z-;rport=17681 Max-Forwards: 69 Contact: <sip:klaus@83.136.33.3:17681;transport=udp> To: "01505641636"<sip:01505641636@83.136.32.165> Call-ID: MGE3ZTA3NDVjNzg4Y2ZlYThmNGJmNTk3MTdlYjRmYTM. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO Content-Type: application/sdp User-Agent: eyeBeam release 1102q stamp 51814 Content-Length: 213 From: foobar@pernau.at;tag=76344e54 P-hint: outbound v=0 o=- 0 2 IN IP4 83.136.33.3 s=CounterPath eyeBeam 1.5 c=IN IP4 83.136.33.3 t=0 0 m=audio 40552 RTP/AVP 107 0 8 101 a=fmtp:101 0-15 a=rtpmap:107 BV32/16000 a=rtpmap:101 telephone-event/8000 a=sendrecv <-------------> --- (15 headers 10 lines) --- == Using UDPTL TOS bits 204 == Using UDPTL CoS mark 5 Sending to 88.198.53.113 : 5060 (NAT) Using INVITE request as basis request - MGE3ZTA3NDVjNzg4Y2ZlYThmNGJmNTk3MTdlYjRmYTM. [Jun 1 16:52:37] NOTICE[12857]: chan_sip.c:14210 check_user_full: From address missing 'sip:', using it anyway Segmentation fault (core dumped) ****** ADDITIONAL INFORMATION ****** #0 0xb759e631 in check_user_full (p=0xb97dc20, req=0xb35c2d74, sipmethod=5, uri=0xb3620ac3 "sip:01505641636@83.136.32.165", reliable=XMIT_RELIABLE, sin=0xb35c2d64, authpeer=0x0) at /home/darilion/software/asterisk/asterisk-trunk/include/asterisk/strings.h:65 65 return (!s || (*s == '\0')); (gdb) bt #0 0xb759e631 in check_user_full (p=0xb97dc20, req=0xb35c2d74, sipmethod=5, uri=0xb3620ac3 "sip:01505641636@83.136.32.165", reliable=XMIT_RELIABLE, sin=0xb35c2d64, authpeer=0x0) at /home/darilion/software/asterisk/asterisk-trunk/include/asterisk/strings.h:65 #1 0xb759eb14 in check_user (p=0xb97dc20, req=0xb35c2d74, sipmethod=5, uri=0xb3620ac3 "sip:01505641636@83.136.32.165", reliable=XMIT_RELIABLE, sin=0xb35c2d64) at chan_sip.c:14286 #2 0xb75bd0dd in handle_request_invite (p=0xb97dc20, req=0xb35c2d74, debug=1, seqno=1, sin=0xb35c2d64, recount=0xb35c2d04, e=0xb3620ac3 "sip:01505641636@83.136.32.165", nounlock=0xb35c2d00) at chan_sip.c:20513 #3 0xb75c7361 in handle_incoming (p=0xb97dc20, req=0xb35c2d74, sin=0xb35c2d64, recount=0xb35c2d04, nounlock=0xb35c2d00) at chan_sip.c:22845 #4 0xb75c86fc in handle_request_do (req=0xb35c2d74, sin=0xb35c2d64) at chan_sip.c:23157 ASTERISK-1 0xb75c7e61 in sipsock_read (id=0xb845e10, fd=47, events=1, ignore=0x0) at chan_sip.c:23051 ASTERISK-2 0x0810a937 in ast_io_wait (ioc=0xb78198e0, howlong=1000) at io.c:288 ASTERISK-3 0xb75c9dcd in do_monitor (data=0x0) at chan_sip.c:23563 ASTERISK-4 0x081825f1 in dummy_start (data=0xb361cd80) at utils.c:971 ASTERISK-5 0xb7b0b4c0 in start_thread () from /lib/i686/cmov/libpthread.so.0 ASTERISK-6 0xb7d3f6de in clone () from /lib/i686/cmov/libc.so.6 crash happened with trunk. 1.6.2.7 is not vulnerable. | ||
| Comments: | By: Elazar Broad (ebroad) 2010-06-01 14:11:57 My guess would be one of these macro calls in check_user_full(): SIP_PEDANTIC_DECODE(of); SIP_PEDANTIC_DECODE(domain); they are in trunk but not in 1.6.2.7. elazar By: klaus3000 (klaus3000) 2010-06-01 14:50:08 That might be - I always use pedantic=yes (which is buggy anway - but that is another bugreport :-) By: Leif Madsen (lmadsen) 2010-06-02 11:13:44 The issue I just marked as related may not be related at all, but thought I'd put it there just in case some wants to double check that this isn't a regression. By: Leif Madsen (lmadsen) 2010-06-02 11:25:42 dvossel has verified the issue was not related (ASTERISK-14786) to this issue as it would only happen on a SIP_NOTIFY. I've deleted the relation now. By: David Vossel (dvossel) 2010-06-02 11:57:37 This more than likely has to do with the changes made to uri parsing. If the expected "sip:" or "sips:" prefix isn't present, something isn't getting initialized or set correctly. We should be able to handle this. By: David Vossel (dvossel) 2010-06-17 17:19:11 I uploaded a patch, please test it and verify whether or not this resolves the issue. By: klaus3000 (klaus3000) 2010-06-18 07:26:30 no crashes anymore By: Digium Subversion (svnbot) 2010-06-21 15:46:21 Repository: asterisk Revision: 271553 U trunk/channels/chan_sip.c U trunk/channels/sip/reqresp_parser.c ------------------------------------------------------------------------ r271553 | dvossel | 2010-06-21 15:46:21 -0500 (Mon, 21 Jun 2010) | 9 lines fixes crash when From header URI is missing "sip:" (closes issue ASTERISK-16184) Reported by: klaus3000 Patches: sip_crash uploaded by dvossel (license 671) Tested by: klaus3000 ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=271553 | ||