Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2013-005 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
From: Matthew Jordan <mjordan@digium.com>
Date: Tue, 27 Aug 2013 17:55:59 +0000
Subject: AST-2013-005: Fix crash caused by invalid SDP
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-22007
CVE: CVE-2013-5642
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=397756

If the SIP channel driver processes an invalid SDP that defines media
descriptions before connection information, it may attempt to reference
the socket address information even though that information has not yet
been set. This will cause a crash.

This patch adds checks when handling the various media descriptions that
ensures the media descriptions are handled only if we have connection
information suitable for that media.

Thanks to Walter Doekes, OSSO B.V., for reporting, testing, and providing
the solution to this problem.

Reported by: wdoekes
Tested by: wdoekes
patches:
  issueA22007_sdp_without_c_death.patch uploaded by wdoekes (License 5674)

---
 channels/chan_sip.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -8624,7 +8624,7 @@ static int process_sdp(struct sip_pvt *p
 
 	/* Setup audio address and port */
 	if (p->rtp) {
-		if (portno > 0) {
+		if (hp && portno > 0) {
 			sin.sin_family = AF_INET;
 			sin.sin_port = htons(portno);
 			memcpy(&sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));
@@ -8663,7 +8663,7 @@ static int process_sdp(struct sip_pvt *p
 
 	/* Setup video address and port */
 	if (p->vrtp) {
-		if (vportno > 0) {
+		if (vhp && vportno > 0) {
 			vsin.sin_family = AF_INET;
 			vsin.sin_port = htons(vportno);
 			memcpy(&vsin.sin_addr, vhp->h_addr, sizeof(vsin.sin_addr));
@@ -8680,7 +8680,7 @@ static int process_sdp(struct sip_pvt *p
 
 	/* Setup text address and port */
 	if (p->trtp) {
-		if (tportno > 0) {
+		if (thp && tportno > 0) {
 			tsin.sin_family = AF_INET;
 			tsin.sin_port = htons(tportno);
 			memcpy(&tsin.sin_addr, thp->h_addr, sizeof(tsin.sin_addr));
@@ -8702,7 +8702,7 @@ static int process_sdp(struct sip_pvt *p
 	}
 	/* Setup image address and port */
 	if (p->udptl) {
-		if (udptlportno > 0) {
+		if (ihp && udptlportno > 0) {
 			isin.sin_family = AF_INET;
 			isin.sin_port = htons(udptlportno);
 			if (ast_test_flag(&p->flags[0], SIP_NAT) && ast_test_flag(&p->flags[1], SIP_PAGE2_UDPTL_DESTINATION)) {