ASTERISK-18805: Remote crash vulnerability in chan_sip when automon in features.conf is enabled

[Home]

Summary: ASTERISK-18805: Remote crash vulnerability in chan_sip when automon in features.conf is enabled

Reporter: Kristijan Vrban (vrban) Labels:

Date Opened: 2011-11-02 04:55:44 Date Closed: 2011-12-08 10:20:17.000-0600

Priority: Critical Regression?

Status: Closed/Complete Components: Channels/chan_sip/General

Versions: 1.8.7.0 Frequency of
Occurrence

Related
Issues:
must be completed before resolving ASTERISK-18499 Asterisk 1.8.8.0 Release Blockers

must be completed before resolving ASTERISK-18847 Asterisk 10.0.0 Release Blockers

Environment: Attachments: ( 0) info_crash_fix.patch
( 1) info_crash.xml

Description: Asterisk 1.6/1.8/10 and trunk are affected. To crash Asterisk, you just need to send a aimless SIP INVITE (which get a 407 answer)
just to open a SIP dialog. And then send a SIP INFO with a "Record: on" header in this dialog. Then asterisk crash in channel.c/ast_queue_frame,
because ast_queue_frame(p->owner, &f) is call with p->owner == NULL from handle_request_info, because no channel is active.

The patch just checks, if p->owner is set. Otherwise it send a 481 (perhaps something else?)

Comments: By: Kristijan Vrban (vrban) 2011-11-03 09:56:50.623-0500

Here is a sipp scenario to reproduce the crash.