Summary: | ASTERISK-17838: [patch] remote authenticated asterisk DoS (crash) for tcp-sip clients | ||
Reporter: | Walter Doekes (wdoekes) | Labels: | |
Date Opened: | 2011-05-11 09:02:14 | Date Closed: | 2011-05-20 09:42:52 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) altered-register.xml ( 1) invite-and-bye.xml ( 2) issue19272_check_against_tcptls_session_null.patch | |
Description: | Hi, AFAICT all versions (at least 1.6.2.17 and svn-trunk) are affected by a bug introduced by mnicholsons recent denial of service fix (r314666): When asterisk fails to connect over TCP, asterisk dies. Severity: bad Affected installations: those with SIP over TCP allowed Mitigating factors: you need to be able to register (as guest or authenticated) OR a bad IP-port combination needs to be set in sip.conf ****** STEPS TO REPRODUCE ****** Steps to reproduce: --------------- extensions.conf --------------- [phones] exten => 200,1,Dial(SIP/200) -------- sip.conf -------- [general] tcpenable=yes [200] host=dynamic transport=tcp,udp type=friend context=phones ------------ sipp command ------------ (this does nothing more than do a register but set an unused port (port 1) and then an invite to 200 (self)) $ for x in altered-register.xml invite-and-bye.xml ; do sipp -m 1 -sf $x -s 200 127.0.0.1 -key tel 200 ; done --------------- asterisk output --------------- root@walter-laptop:0:/etc/asterisk# asterisk -V Asterisk SVN-trunk-r318500 (but probably all versions are affected, at least 1.6.2.17.3 is) root@walter-laptop:0:/etc/asterisk# asterisk -c ... *CLI> core set verbose 20 Verbosity was 0 and is now 20 *CLI> -- Registered SIP '200' at 127.0.1.1:1 == Using SIP RTP CoS mark 5 -- Executing [200@phones:1] Dial("SIP/200-00000000", "SIP/200") in new stack Agent policy for SIP/200-00000000 is 'never'. CC not possible == Using SIP RTP CoS mark 5 -- Called SIP/200 Unable to connect SIP socket to 127.0.1.1:1: Connection refused Segmentation fault --------- backtrace --------- _sip_tcp_helper_thread (pvt=<value optimized out>, tcptls_session=0x0) at chan_sip.c:2757 2757 if (!tcptls_session->client && !authenticated) { (gdb) back #0 _sip_tcp_helper_thread (pvt=<value optimized out>, tcptls_session=0x0) at chan_sip.c:2757 #1 0x000000000054fdfb in dummy_start (data=<value optimized out>) at utils.c:1010 #2 0x00007ffff6d0d9ca in start_thread () from /lib/libpthread.so.0 #3 0x00007ffff755e70d in clone () from /lib/libc.so.6 #4 0x0000000000000000 in ?? () ----- cause ----- (chan_sip.c) if ((!(ca = tcptls_session->parent)) || (!(me = ao2_t_find(threadt, &tmp, OBJ_POINTER, "ao2_find, getting sip_threadinfo in tcp helper thread"))) || (!(tcptls_session = ast_tcptls_client_start(tcptls_session)))) { goto cleanup; } (ast_tcptls_client_start returns NULL) cleanup: if (!tcptls_session->client && !authenticated) { ast_atomic_fetchadd_int(&unauth_sessions, -1); } ^--- no checks against tcptls_session being NULL. Note that this feature was introduced by mnicholson in 314666 as part of a denial of service fix. ast_tcptls_client_start has since forever been allowed to return NULL, so the fix is to blame. $ svn diff -c 314666 ... cleanup: + if (!tcptls_session->client && !authenticated) { + ast_atomic_fetchadd_int(&unauth_sessions, -1); + } | ||
Comments: | By: Walter Doekes (wdoekes) 2011-05-11 09:10:27 The supplied patch should fix the issue. Regards, Walter Doekes OSSO B.V. By: Leif Madsen (lmadsen) 2011-05-20 09:42:52 Closed as a duplicate per wdoekes on IRC. Thanks! |