kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-02 03:02:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.

Browse Source 
In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV.  We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.

Resolves: #GHSA-64qc-9x89-rx5j
This commit is contained in:
George Joseph
2025-08-28 06:47:04 -06:00
parent a6142af2a0
commit c6595e45ad
1 changed files with 32 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
res/res_pjsip_authenticator_digest.c
View File

@@ -184,24 +184,29 @@ static pj_status_t digest_lookup(pj_pool_t *pool,
const char *creds; const char *creds;
const char *auth_name = (auth ? ast_sorcery_object_get_id(auth) : "none"); const char *auth_name = (auth ? ast_sorcery_object_get_id(auth) : "none");
struct pjsip_authorization_hdr *auth_hdr = get_authorization_hdr(auth_name, realm, param->rdata); struct pjsip_authorization_hdr *auth_hdr = get_authorization_hdr(auth_name, realm, param->rdata);
const pjsip_auth_algorithm *algorithm = const pjsip_auth_algorithm *algorithm = auth_hdr ?
ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm); ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm) : NULL;
const char *src_name = param->rdata->pkt_info.src_name; const char *src_name = param->rdata->pkt_info.src_name;
SCOPE_ENTER(4, "%s:%s:" SCOPE_ENTER(4, "%s:%s:"
" srv realm: " PJSTR_PRINTF_SPEC " srv realm: " PJSTR_PRINTF_SPEC
" auth realm: %s" " auth realm: %s"
" hdr realm: " PJSTR_PRINTF_SPEC
" auth user: %s" " auth user: %s"
" hdr user: " PJSTR_PRINTF_SPEC " hdr user: " PJSTR_PRINTF_SPEC
" algorithm: " PJSTR_PRINTF_SPEC
"\n", "\n",
auth_name, src_name, auth_name, src_name,
PJSTR_PRINTF_VAR(param->realm), PJSTR_PRINTF_VAR(param->realm),
realm, realm,
PJSTR_PRINTF_VAR(auth_hdr->credential.common.realm),
auth->auth_user, auth->auth_user,
PJSTR_PRINTF_VAR(param->acc_name), PJSTR_PRINTF_VAR(param->acc_name));
PJSTR_PRINTF_VAR(algorithm->iana_name));
/*
* If a client is responding correctly, most of the error conditions below
* can't happen because we sent them the correct info in the 401 response.
* However, if a client is trying to authenticate with us without
* having received a challenge or if they are trying to
* authenticate with a different realm or algorithm than we sent them,
* we need to catch that.
*/
if (!auth) { if (!auth) {
/* This can only happen if the auth object was not saved to thread-local storage */ /* This can only happen if the auth object was not saved to thread-local storage */
@@ -209,6 +214,26 @@ static pj_status_t digest_lookup(pj_pool_t *pool,
auth_name, src_name); auth_name, src_name);
} }
if (auth_hdr == NULL) {
/*
* This can only happen if the incoming request did not have an
* Authorization header or the realm in the header was missing or incorrect.
*/
SCOPE_EXIT_RTN_VALUE(PJSIP_SC_FORBIDDEN,
"%s:%s: No Authorization header found for realm '%s'\n",
auth_name, src_name, realm);
}
if (algorithm == NULL) {
/*
* This can only happen if the incoming request had an algorithm
* we don't support.
*/
SCOPE_EXIT_RTN_VALUE(PJSIP_SC_FORBIDDEN,
"%s:%s: Unsupported algorithm '" PJSTR_PRINTF_SPEC "'\n",
auth_name, src_name, PJSTR_PRINTF_VAR(auth_hdr->credential.digest.algorithm));
}
if (auth->type == AST_SIP_AUTH_TYPE_ARTIFICIAL) { if (auth->type == AST_SIP_AUTH_TYPE_ARTIFICIAL) {
/* /*
* This shouldn't happen because this function can only be invoked * This shouldn't happen because this function can only be invoked