| Summary: | ASTERISK-30259: ari: Crash on missing JSON validation in push registration | ||
| Reporter: | Thomas Guebels (tguescaux) | Labels: | patch |
| Date Opened: | 2022-10-10 04:40:32 | Date Closed: | |
| Priority: | Minor | Regression? | No |
| Status: | Open/New | Components: | Resources/res_ari Resources/res_pjsip_outbound_registration |
| Versions: | 18.14.0 | Frequency of Occurrence | Constant |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) ari_push_json_validation_crash.diff | |
| Description: | When creating a new outbound registration using ARI push method, an unexpected JSON body can easily trigger a crash.
The code expects "attribute" and "value" to be present and to be string in the objects of the field array. So anything not in the form {code} [ { "attribute": "string", "value": "string" }, ] {code} will trigger it. Example: {code} [ { "attribute": "string", "value": 123 }, ] {code} or {code} [ { }, ] {code} This is the backtrace: {code} #0 0x00007f33c6f28bea in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x000055b026c5028c in _ast_variable_new (name=0x7f32f4001b90 "max_retries", value=0x0, filename=0x7f3371c7c502 "", file=0x7f3371c7c406 "ari/resource_asterisk.c", func=0x7f3371c7cb00 <__PRETTY_FUNCTION__.15793> "ast_ari_asterisk_update_object", lineno=197) at config.c:292 #2 0x00007f3371c7a3a3 in ast_ari_asterisk_update_object (headers=0x7f32f4000ec0, args=0x7f333d552880, response=0x7f333d552ae0) at ari/resource_asterisk.c:197 #3 0x00007f3371c78b73 in ast_ari_asterisk_update_object_cb (ser=0x7f3350000bd0, get_params=0x0, path_vars=0x7f32f40015e0, headers=0x7f32f4000ec0, body=0x7f32f4001910, response=0x7f333d552ae0) at res_ari_asterisk.c:161 #4 0x00007f3372ef86f9 in ast_ari_invoke (ser=0x7f3350000bd0, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, get_params=0x0, headers=0x7f32f4000ec0, body=0x7f32f4001910, response=0x7f333d552ae0) at res_ari.c:587 #5 0x00007f3372ef9e79 in ast_ari_callback (ser=0x7f3350000bd0, urih=0x7f3372f06040 <http_uri>, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, get_params=0x0, headers=0x7f32f4000ec0) at res_ari.c:1058 #6 0x000055b026c6fb53 in handle_uri (ser=0x7f3350000bd0, uri=0x7f333d552c49 "asterisk/config/dynamic/res_pjsip/registration/2f35c461-5f59-4fc5-8c59-f191a97fdb03", method=AST_HTTP_PUT, headers=0x7f32f4000ec0) at http.c:1490 #7 0x000055b026c70d7e in httpd_process_request (ser=0x7f3350000bd0) at http.c:1931 #8 0x000055b026c710c3 in httpd_helper_thread (data=0x7f3350000bd0) at http.c:1994 #9 0x000055b026c0e39b in handle_tcptls_connection (data=0x7f3350000bd0) at tcptls.c:274 #10 0x000055b026c21de6 in dummy_start (data=0x55b02779cc60) at utils.c:1574 #11 0x00007f33c7214609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #12 0x00007f33c6f96133 in clone () from /lib/x86_64-linux-gnu/libc.so.6 {code} | ||
| Comments: | By: Asterisk Team (asteriskteam) 2022-10-10 04:40:39.019-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Joshua C. Colp (jcolp) 2022-10-10 04:45:30.193-0500 Thank you for the crash report. However, we need more information to investigate the crash. Please provide: 1. A backtrace generated from a core dump using the instructions provided on the Asterisk wiki [1]. 2. Specific steps taken that lead to the crash. 3. All configuration information necesary to reproduce the crash. Thanks! [1]: https://wiki.asterisk.org/wiki/display/AST/Getting+a+Backtrace By: Thomas Guebels (tguescaux) 2022-10-10 05:25:54.659-0500 The crash seems to come from the fact that the code expects to have objects in the field array that have "attribute" and "value" keys and these can only be strings. The attached patch adds validation so that the 2 cases shown in the description do not trigger a crash anymore, but only skip the field. | ||