diff options
| author | Kevin Harwell <kharwell@digium.com> | 2014-06-12 14:39:29 +0000 |
|---|---|---|
| committer | Kevin Harwell <kharwell@digium.com> | 2014-06-12 14:39:29 +0000 |
| commit | 870394c0513d773c6c8cab9573bd27640281359e (patch) | |
| tree | 415bc0b92036780d20addc7917446266030bacc7 /res/res_pjsip_pubsub.c | |
| parent | e6cb6974fe8a4ab68ccb78a466e1274aef9d4150 (diff) | |
res_pjsip_pubsub: unauthenticated remote crash in PJSIP pub/sub framework
A remotely exploitable crash vulnerability exists in the PJSIP channel driver's
pub/sub framework. If an attempt is made to unsubscribe when not currently
subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries
to create an expiration timer with zero seconds, which is not allowed, so an
assertion raised.
The fix was to reject a subscription that is attempting to unsubscribe when not
being already subscribed. Asterisk now checks for this situation appropriately
and responds with a 400 instead of crashing.
AST-2014-005
ASTERISK-23489 #close
........
Merged revisions 415812 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415813 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'res/res_pjsip_pubsub.c')
| -rw-r--r-- | res/res_pjsip_pubsub.c | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c index 88e284faf..381f37617 100644 --- a/res/res_pjsip_pubsub.c +++ b/res/res_pjsip_pubsub.c @@ -1129,12 +1129,20 @@ static pj_bool_t pubsub_on_rx_subscribe_request(pjsip_rx_data *rdata) expires_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_EXPIRES, rdata->msg_info.msg->hdr.next); - if (expires_header && expires_header->ivalue < endpoint->subscription.minexpiry) { - ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %u\n", + if (expires_header) { + if (expires_header->ivalue == 0) { + ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n", + ast_sorcery_object_get_id(endpoint)); + pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400, NULL, NULL, NULL); + return PJ_TRUE; + } + if (expires_header->ivalue < endpoint->subscription.minexpiry) { + ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %d\n", expires_header->ivalue, ast_sorcery_object_get_id(endpoint), endpoint->subscription.minexpiry); - pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL); - return PJ_TRUE; - } + pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL); + return PJ_TRUE; + } + } handler = subscription_get_handler_from_rdata(rdata); if (!handler) { |