Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2011-004 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Description: Remote crash vulnerability in TCP/TLS server
Origin: http://downloads.asterisk.org/pub/security/AST-2011-004-1.6.2.diff

Rapidly opening and closing TCP connections to services using the
ast_tcptls_* API (primarily chan_sip, manager, and res_phoneprov) can
cause Asterisk to crash after dereferencing a NULL pointer.

TCP-TLS code was did not exist yet in the Lenny (5.0) version of Asterisk.

See also: http://downloads.asterisk.org/pub/security/AST-2011-004.html

--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -139,8 +139,12 @@ static void *handle_tcptls_connection(vo
 	* open a FILE * as appropriate.
 	*/
 	if (!tcptls_session->parent->tls_cfg) {
-		tcptls_session->f = fdopen(tcptls_session->fd, "w+");
-		setvbuf(tcptls_session->f, NULL, _IONBF, 0);
+		if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
+			if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
+				fclose(tcptls_session->f);
+				tcptls_session->f = NULL;
+			}
+		}
 	}
 #ifdef DO_SSL
 	else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {