Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2013-004 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From: Matthew Jordan <mjordan@digium.com>
Date: Tue, 27 Aug 2013 15:49:14 +0000
Subject: AST-2013-004: Fix crash when handling ACK on dialog that has no channel
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-21064
CVE: CVE-2013-5641
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=397710

A remote exploitable crash vulnerability exists in the SIP channel driver if an
ACK with SDP is received after the channel has been terminated. The handling
code incorrectly assumed that the channel would always be present.

This patch adds a check such that the SDP will only be parsed and applied if
Asterisk has a channel present that is associated with the dialog.

Note that the patch being applied was modified only slightly from the patch
provided by Walter Doekes of OSSO B.V.

Reported by: Colin Cuthbertson
Tested by: wdoekes, Colin Cutherbertson
patches:
  issueA21064_fix.patch uploaded by wdoekes (License 5674)

Backported to 1.8.13.1

---
 channels/chan_sip.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -25292,7 +25292,7 @@ static int handle_incoming(struct sip_pv
 			p->invitestate = INV_TERMINATED;
 			p->pendinginvite = 0;
 			acked = __sip_ack(p, seqno, 1 /* response */, 0);
-			if (find_sdp(req)) {
+			if (p->owner && find_sdp(req)) {
 				if (process_sdp(p, req, SDP_T38_NONE))
 					return -1;
 			}