Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2011-003 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Description: Resource exhaustion in Asterisk Manager Interface
Origin: http://downloads.asterisk.org/pub/security/AST-2011-003-1.6.2.diff

Rapidly opening manager connections, sending invalid data, and closing the
connection can cause Asterisk to exhaust available CPU and memory resources.

The manager interface is disabled by default in upstream, but enabled
by default (listening on localhost only) in the version in Debian 5.0 (Lenny)
and 6.0 (Squeeze).

See also http://downloads.asterisk.org/pub/security/AST-2011-003.html

FIXME: Probably now that useful on its own, but still pre-requirement for
AST_2011-005. Fix description.

--- a/main/manager.c
+++ b/main/manager.c
@@ -228,6 +228,7 @@ struct mansession {
 	struct mansession_session *session;
 	FILE *f;
 	int fd;
+	int write_error:1;
 };
 
 #define NEW_EVENT(m)	(AST_LIST_NEXT(m->session->last_ev, eq_next))
@@ -952,11 +953,15 @@ struct ast_variable *astman_get_variable
  */
 static int send_string(struct mansession *s, char *string)
 {
-	if (s->f) {
-		return ast_careful_fwrite(s->f, s->fd, string, strlen(string), s->session->writetimeout);
-	} else {
-		return ast_careful_fwrite(s->session->f, s->session->fd, string, strlen(string), s->session->writetimeout);
+	FILE *f = s->f ? s->f : s->session->f;
+	int fd = s->f ? s->fd : s->session->fd;
+	int res;
+
+	if ((res = ast_careful_fwrite(f, fd, string, strlen(string), s->session->writetimeout))) {
+		s->write_error = 1;
 	}
+
+	return res;
 }
 
 /*!
@@ -3240,7 +3245,7 @@ static void *session_do(void *data)
 
 	astman_append(&s, "Asterisk Call Manager/%s\r\n", AMI_VERSION);	/* welcome prompt */
 	for (;;) {
-		if ((res = do_message(&s)) < 0)
+		if ((res = do_message(&s)) < 0 || s.write_error)
 			break;
 	}
 	/* session is over, explain why and terminate */