kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-05 04:11:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

res_pjsip_pubsub: unauthenticated remote crash in PJSIP pub/sub framework

Browse Source 
A remotely exploitable crash vulnerability exists in the PJSIP channel driver's
pub/sub framework. If an attempt is made to unsubscribe when not currently
subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries
to create an expiration timer with zero seconds, which is not allowed, so an
assertion raised.

The fix was to reject a subscription that is attempting to unsubscribe when not
being already subscribed.  Asterisk now checks for this situation appropriately
and responds with a 400 instead of crashing.

AST-2014-005

ASTERISK-23489 #close
........

Merged revisions 415812 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415813 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Kevin Harwell
2014-06-12 14:39:29 +00:00
parent e6cb6974fe
commit 870394c051
1 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
res/res_pjsip_pubsub.c
View File

@@ -1129,12 +1129,20 @@ static pj_bool_t pubsub_on_rx_subscribe_request(pjsip_rx_data *rdata)
expires_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_EXPIRES, rdata->msg_info.msg->hdr.next); expires_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_EXPIRES, rdata->msg_info.msg->hdr.next);
if (expires_header && expires_header->ivalue < endpoint->subscription.minexpiry) { if (expires_header) {
ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %u\n", if (expires_header->ivalue == 0) {
ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n",
ast_sorcery_object_get_id(endpoint));
pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400, NULL, NULL, NULL);
return PJ_TRUE;
}
if (expires_header->ivalue < endpoint->subscription.minexpiry) {
ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %d\n",
expires_header->ivalue, ast_sorcery_object_get_id(endpoint), endpoint->subscription.minexpiry); expires_header->ivalue, ast_sorcery_object_get_id(endpoint), endpoint->subscription.minexpiry);
pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL); pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
return PJ_TRUE; return PJ_TRUE;
} }
}
handler = subscription_get_handler_from_rdata(rdata); handler = subscription_get_handler_from_rdata(rdata);
if (!handler) { if (!handler) {