AST-2016-002 chan_sip.c: Fix retransmission timeout integer overflow.

Setting the sip.conf timert1 value to a value higher than 1245 can cause an integer overflow and result in large retransmit timeout times. These large timeout times hold system file descriptors hostage and can cause the system to run out of file descriptors. NOTE: The default sip.conf timert1 value is 500 which does not expose the vulnerability. * The overflow is now detected and the previous timeout time is calculated. ASTERISK-25397 #close Reported by: Alexander Traud Change-Id: Ia7231f2f415af1cbf90b923e001b9219cff46290
author: Richard Mudgett <rmudgett@digium.com> 2015-09-28 17:07:42 -0500
committer: Richard Mudgett <rmudgett@digium.com> 2016-02-03 15:04:08 -0600
commit: a877e0d94b263bcb3d2b378dc952b759d58a2b43 (patch)
tree: bbd43c7fc21fe478c06e44122027757f600c494c
parent: ae1f728f0f7f816a3e697a0c039046f23ec9ccf3 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 10b0d23f2..aaf0b6d51 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -3970,6 +3970,13 @@ static int retrans_pkt(const void *data)
 			}
 
 			/* For non-invites, a maximum of 4 secs */
+			if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
+				/*
+				 * Uh Oh, we will have an integer overflow.
+				 * Recalculate previous timeout time instead.
+				 */
+				pkt->timer_a = pkt->timer_a / 2;
+			}
 			siptimer_a = pkt->timer_t1 * pkt->timer_a;	/* Double each time */
 			if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
 				siptimer_a = 4000;
author	Richard Mudgett <rmudgett@digium.com>	2015-09-28 17:07:42 -0500
committer	Richard Mudgett <rmudgett@digium.com>	2016-02-03 15:04:08 -0600
commit	a877e0d94b263bcb3d2b378dc952b759d58a2b43 (patch)
tree	bbd43c7fc21fe478c06e44122027757f600c494c
parent	ae1f728f0f7f816a3e697a0c039046f23ec9ccf3 (diff)