Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2011-010 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
From: David Vossel <dvossel@digium.com>
Date: Thu, 23 Jun 2011 18:18:46 +0000
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=324634
Subject: Addresses AST-2011-010, crash due to dereferencing a remote pointer

A memory address was inadvertently transmitted over the network via
IAX2 via an option control frame and the remote party would try to access it.

CVE: CVE-2011-2535
See also: http://downloads.asterisk.org/pub/security/AST-2011-010.html
---
 channels/chan_iax2.c |   14 +++++++++++++-
 main/features.c      |   15 ++++++++++++---
 2 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 952092d..6aea5fd 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -5081,7 +5081,14 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
 	case AST_OPTION_OPRMODE:
 		errno = EINVAL;
 		return -1;
-	default:
+ 	/* These options are sent to the other side across the network where
+ 	 * they will be passed to whatever channel is bridged there. Don't
+ 	 * do anything silly like pass an option that transmits pointers to
+ 	 * memory on this machine to a remote machine to use */
+ 	case AST_OPTION_TONE_VERIFY:
+ 	case AST_OPTION_TDD:
+ 	case AST_OPTION_RELAXDTMF:
+ 	case AST_OPTION_AUDIO_MODE:
 	{
 		unsigned short callno = PTR_TO_CALLNO(c->tech_pvt);
 		struct chan_iax2_pvt *pvt;
@@ -5109,7 +5116,12 @@ static int iax2_setoption(struct ast_channel *c, int option, void *data, int dat
 		ast_free(h);
 		return res;
 	}
+	default:
+		return -1;
 	}
+
+	/* Just in case someone does a break instead of a return */
+	return -1;
 }
 
 static struct ast_frame *iax2_read(struct ast_channel *c) 
diff --git a/main/features.c b/main/features.c
index c83b014..b57d7d1 100644
--- a/main/features.c
+++ b/main/features.c
@@ -3132,10 +3132,19 @@ int ast_bridge_call(struct ast_channel *chan,struct ast_channel *peer,struct ast
 				break;
 			case AST_CONTROL_OPTION:
 				aoh = f->data.ptr;
-				/* Forward option Requests */
+				/* Forward option Requests, but only ones we know are safe
+				 * These are ONLY sent by chan_iax2 and I'm not convinced that
+				 * they are useful. I haven't deleted them entirely because I
+				 * just am not sure of the ramifications of removing them. */
 				if (aoh && aoh->flag == AST_OPTION_FLAG_REQUEST) {
-					ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
-						f->datalen - sizeof(struct ast_option_header), 0);
+				   	switch (ntohs(aoh->option)) {
+					case AST_OPTION_TONE_VERIFY:
+					case AST_OPTION_TDD:
+					case AST_OPTION_RELAXDTMF:
+					case AST_OPTION_AUDIO_MODE:
+						ast_channel_setoption(other, ntohs(aoh->option), aoh->data, 
+							f->datalen - sizeof(struct ast_option_header), 0);
+					}
 				}
 				break;
 			}
-- 
1.7.5.4