Summary:ASTERISK-22007: chan_sip: segfault with invalid sdp
Reporter:Walter Doekes (wdoekes)Labels:
Date Opened:2013-07-03 16:15:56Date Closed:2013-08-27 13:06:01
Versions: 10.12.2 10.12.2-digiumphones 11.4.0 Frequency of
Environment:Attachments:( 0) AST-2013-005-1.8.15.diff
( 1) AST-2013-005-1.8.diff
( 2) AST-2013-005-10.diff
( 3) AST-2013-005-10-digiumphones.diff
( 4) AST-2013-005-11.2.diff
( 5) AST-2013-005-11.diff
( 6) invalid_sdp.xml
( 7) issueA22007_sdp_without_c_death.patch
Description:Imagine an INVITE with m audio, m video and c video.

Now we bypass (!sa && !vsa && !tsa && !isa) in process_sdp, but later on, the portno being > -1 gets us a ast_sockaddr_set_port(sa, portno); call. Even though sa is NULL.

Comments:By: Matt Jordan (mjordan) 2013-07-03 16:16:39.957-0500

Privacy granted!

By: Walter Doekes (wdoekes) 2013-07-04 02:19:20.571-0500

For completeness sake.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff40fe700 (LWP 1504)]
0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382
382 if (addr->ss.ss_family == AF_INET &&
(gdb) back
#0  0x00000000005746be in _ast_sockaddr_set_port (addr=0x0, port=6000, file=0x7fffbcbdb1f4 "chan_sip.c", line=10640, func=0x7fffbcbf4abe "process_sdp") at netsock2.c:382
#1  0x00007fffbcb3fa36 in process_sdp (p=0x7fffb0002a68, req=0x7ffff40fd260, t38action=1) at chan_sip.c:10640
#2  0x00007fffbcb98585 in handle_request_invite (p=0x7fffb0002a68, req=0x7ffff40fd260, addr=0x7ffff40fdcd0, seqno=1, recount=0x7ffff40fd210, e=0x7fffb0000ebf "sip:1000@",
   nounlock=0x7ffff40fd214) at chan_sip.c:25325

=Config files=
asterisk-trunk$ cat /etc/asterisk/sip.conf

asterisk-trunk$ cat /etc/asterisk/extensions.conf
exten => 1000,1,NoOp()

     m=audio [media_port] RTP/AVP 8 0
     m=video [media_port] RTP/AVP 8 0
     c=IN IP[media_ip_type] [media_ip]


trunk r393633 (vulnerable)
10 rCUSTOM (vulnerable)
1.8 r393627 (vulnerable)

I didn't test any others.


I initially improved the (!sa && !vsa && !tsa && !isa) checks to something like:
... && (sa || portno == -1) && (vsa || videoportno == -1) && ...

But then I figured that we might block some SDP used in the wild that didn't crash, and we'd be breaking things for them.

So instead I opted to add the checks as I did in {{issueA22007_sdp_without_c_death.patch}}.

By: Matt Jordan (mjordan) 2013-07-05 09:17:13.626-0500

Well... nuts. Thanks for catching this.

Given that there may be another security vulnerability or two currently in the tracker, we'll queue this up until we know the status of those.

By: Matt Jordan (mjordan) 2013-07-08 19:30:39.989-0500

Just to verify, I put together the SIPp scenario on this issue and confirmed that it does crash Asterisk.

By: Matt Jordan (mjordan) 2013-08-27 09:36:05.254-0500

We've got everything lined up finally to get the security release out. These should go out today, 08/27.