Update for 21.10.2

In the highly-unlikely event that get_authorization_hdr() couldn't find an
Authorization header in a request, trying to get the digest algorithm
would cauase a SEGV.  We now check that we have an auth header that matches
the realm before trying to get the algorithm from it.

Resolves: #GHSA-64qc-9x89-rx5j

.version

@@ -1 +1 @@
-21.10.1
+21.10.2

CHANGES.html

@@ -1 +1 @@
-ChangeLogs/ChangeLog-21.10.1.html
+ChangeLogs/ChangeLog-21.10.2.html

CHANGES.md

@@ -1 +1 @@
-ChangeLogs/ChangeLog-21.10.1.md
+ChangeLogs/ChangeLog-21.10.2.md

ChangeLogs/ChangeLog-21.10.2.html

@@ -0,0 +1,50 @@
+<html><head><title>ChangeLog for asterisk-21.10.2</title></head><body>
+<h2>Change Log for Release asterisk-21.10.2</h2>
+<h3>Links:</h3>
+<ul>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.10.2.html">Full ChangeLog</a>  </li>
+<li><a href="https://github.com/asterisk/asterisk/compare/21.10.1...21.10.2">GitHub Diff</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.10.2.tar.gz">Tarball</a>  </li>
+<li><a href="https://downloads.asterisk.org/pub/telephony/asterisk">Downloads</a>  </li>
+</ul>
+<h3>Summary:</h3>
+<ul>
+<li>Commits: 1</li>
+<li>Commit Authors: 1</li>
+<li>Issues Resolved: 0</li>
+<li>Security Advisories Resolved: 1</li>
+<li><a href="https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j">GHSA-64qc-9x89-rx5j</a>: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash</li>
+</ul>
+<h3>User Notes:</h3>
+<h3>Upgrade Notes:</h3>
+<h3>Developer Notes:</h3>
+<h3>Commit Authors:</h3>
+<ul>
+<li>George Joseph: (1)</li>
+</ul>
+<h2>Issue and Commit Detail:</h2>
+<h3>Closed Issues:</h3>
+<ul>
+<li>!GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash</li>
+</ul>
+<h3>Commits By Author:</h3>
+<ul>
+<li>
+<h4>George Joseph (1):</h4>
+</li>
+<li>res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.</li>
+</ul>
+<h3>Commit List:</h3>
+<ul>
+<li>res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.</li>
+</ul>
+<h3>Commit Details:</h3>
+<h4>res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.</h4>
+<p>Author: George Joseph
+  Date:   2025-08-28</p>
+<p>In the highly-unlikely event that get_authorization_hdr() couldn't find an
+  Authorization header in a request, trying to get the digest algorithm
+  would cauase a SEGV.  We now check that we have an auth header that matches
+  the realm before trying to get the algorithm from it.</p>
+<p>Resolves: #GHSA-64qc-9x89-rx5j</p>
+</body></html>

ChangeLogs/ChangeLog-21.10.2.md

@@ -0,0 +1,60 @@
+
+## Change Log for Release asterisk-21.10.2
+
+### Links:
+
+ - [Full ChangeLog](https://downloads.asterisk.org/pub/telephony/asterisk/releases/ChangeLog-21.10.2.html)  
+ - [GitHub Diff](https://github.com/asterisk/asterisk/compare/21.10.1...21.10.2)  
+ - [Tarball](https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-21.10.2.tar.gz)  
+ - [Downloads](https://downloads.asterisk.org/pub/telephony/asterisk)  
+
+### Summary:
+
+- Commits: 1
+- Commit Authors: 1
+- Issues Resolved: 0
+- Security Advisories Resolved: 1
+  - [GHSA-64qc-9x89-rx5j](https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j): A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
+
+### User Notes:
+
+
+### Upgrade Notes:
+
+
+### Developer Notes:
+
+
+### Commit Authors:
+
+- George Joseph: (1)
+
+## Issue and Commit Detail:
+
+### Closed Issues:
+
+  - !GHSA-64qc-9x89-rx5j: A specifically malformed Authorization header in an incoming SIP request can cause Asterisk to crash
+
+### Commits By Author:
+
+- #### George Joseph (1):
+  - res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
+
+
+### Commit List:
+
+-  res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
+
+### Commit Details:
+
+#### res_pjsip_authenticator_digest: Fix SEGV if get_authorization_hdr returns NULL.
+  Author: George Joseph
+  Date:   2025-08-28
+
+  In the highly-unlikely event that get_authorization_hdr() couldn't find an
+  Authorization header in a request, trying to get the digest algorithm
+  would cauase a SEGV.  We now check that we have an auth header that matches
+  the realm before trying to get the algorithm from it.
+
+  Resolves: #GHSA-64qc-9x89-rx5j
+

README.html

@@ -1,4 +1,4 @@
-<html><head><title>Readme for asterisk-21.10.1</title></head><body>
+<html><head><title>Readme for asterisk-21.10.2</title></head><body>
 <h1>The Asterisk(R) Open Source PBX</h1>
 <pre><code>By Mark Spencer &lt;markster@digium.com&gt; and the Asterisk.org developer community.
 Copyright (C) 2001-2025 Sangoma Technologies Corporation and other copyright holders.
@@ -37,7 +37,7 @@ hardware.</p>
 <p>If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.</p>
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-<p><a href="ChangeLogs/ChangeLog-21.10.1.html">Change Logs</a></p>
+<p><a href="ChangeLogs/ChangeLog-21.10.2.html">Change Logs</a></p>
 <!-- END-CHANGELOGS -->
 
 <h3>NEW INSTALLATIONS</h3>

README.md

@@ -55,7 +55,7 @@ If you are updating from a previous version of Asterisk, make sure you
 read the Change Logs.
 
 <!-- CHANGELOGS (the URL will change based on the location of this README) -->
-[Change Logs](ChangeLogs/ChangeLog-21.10.1.html)
+[Change Logs](ChangeLogs/ChangeLog-21.10.2.html)
 <!-- END-CHANGELOGS -->
 
 ### NEW INSTALLATIONS

res/res_pjsip_authenticator_digest.c

@@ -184,24 +184,29 @@ static pj_status_t digest_lookup(pj_pool_t *pool,
 	const char *creds;
 	const char *auth_name = (auth ? ast_sorcery_object_get_id(auth) : "none");
 	struct pjsip_authorization_hdr *auth_hdr = get_authorization_hdr(auth_name, realm, param->rdata);
-	const pjsip_auth_algorithm *algorithm =
-		ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm);
+	const pjsip_auth_algorithm *algorithm = auth_hdr ?
+		ast_sip_auth_get_algorithm_by_iana_name(&auth_hdr->credential.digest.algorithm) : NULL;
 	const char *src_name = param->rdata->pkt_info.src_name;
 	SCOPE_ENTER(4, "%s:%s:"
 		" srv realm: " PJSTR_PRINTF_SPEC
 		" auth realm: %s"
-		" hdr realm: " PJSTR_PRINTF_SPEC
 		" auth user: %s"
 		" hdr user: " PJSTR_PRINTF_SPEC
-		" algorithm: " PJSTR_PRINTF_SPEC
 		"\n",
 		auth_name, src_name,
 		PJSTR_PRINTF_VAR(param->realm),
 		realm,
-		PJSTR_PRINTF_VAR(auth_hdr->credential.common.realm),
 		auth->auth_user,
-		PJSTR_PRINTF_VAR(param->acc_name),
-		PJSTR_PRINTF_VAR(algorithm->iana_name));
+		PJSTR_PRINTF_VAR(param->acc_name));
+
+	/*
+	 * If a client is responding correctly, most of the error conditions below
+	 * can't happen because we sent them the correct info in the 401 response.
+	 * However, if a client is trying to authenticate with us without
+	 * having received a challenge or if they are trying to
+	 * authenticate with a different realm or algorithm than we sent them,
+	 * we need to catch that.
+	 */
 
 	if (!auth) {
 		/* This can only happen if the auth object was not saved to thread-local storage */
@@ -209,6 +214,26 @@ static pj_status_t digest_lookup(pj_pool_t *pool,
 			auth_name, src_name);
 	}
 
+	if (auth_hdr == NULL) {
+		/*
+		 * This can only happen if the incoming request did not have an
+		 * Authorization header or the realm in the header was missing or incorrect.
+		 */
+		SCOPE_EXIT_RTN_VALUE(PJSIP_SC_FORBIDDEN,
+			"%s:%s: No Authorization header found for realm '%s'\n",
+			auth_name, src_name, realm);
+	}
+
+	if (algorithm == NULL) {
+		/*
+		 * This can only happen if the incoming request had an algorithm
+		 * we don't support.
+		 */
+		SCOPE_EXIT_RTN_VALUE(PJSIP_SC_FORBIDDEN,
+			"%s:%s: Unsupported algorithm '" PJSTR_PRINTF_SPEC "'\n",
+			auth_name, src_name, PJSTR_PRINTF_VAR(auth_hdr->credential.digest.algorithm));
+	}
+
 	if (auth->type == AST_SIP_AUTH_TYPE_ARTIFICIAL) {
 		/*
 		 * This shouldn't happen because this function can only be invoked