asterisk -- Buffer Overrun in PJSIP transaction layer

ID 0537AFA3-3CE0-11E7-BF9D-001999F8D30B
Type freebsd
Reporter FreeBSD
Modified 2017-04-12T00:00:00


The Asterisk project reports:

A remote crash can be triggered by sending a SIP packet to Asterisk with a specially crafted CSeq header and a Via header with no branch parameter. The issue is that the PJSIP RFC 2543 transaction key generation algorithm does not allocate a large enough buffer. By overrunning the buffer, the memory allocation table becomes corrupted, leading to an eventual crash. The multi-part body parser in PJSIP contains a logical error that can make certain multi-part body parts attempt to read memory from outside the allowed boundaries. A specially-crafted packet can trigger these invalid reads and potentially induce a crash. This issues is in PJSIP, and so the issue can be fixed without performing an upgrade of Asterisk at all. However, we are releasing a new version of Asterisk with the bundled PJProject updated to include the fix. If you are running Asterisk with chan_sip, this issue does not affect you.