res_pjsip_pubsub: unauthenticated remote crash in PJSIP pub/sub framework

A remotely exploitable crash vulnerability exists in the PJSIP channel driver's
pub/sub framework. If an attempt is made to unsubscribe when not currently
subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries
to create an expiration timer with zero seconds, which is not allowed, so an
assertion raised.

The fix was to reject a subscription that is attempting to unsubscribe when not
being already subscribed.  Asterisk now checks for this situation appropriately
and responds with a 400 instead of crashing.

AST-2014-005

ASTERISK-23489 #close

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/12@415812 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/res/res_pjsip_pubsub.c b/res/res_pjsip_pubsub.c
index 88e284fafb45298d667e08b6b3b88339be5f5cdc..381f37617d24f85a2dc40f9234e4c7f9010a5e46 100644 (file)
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -1129,12 +1129,20 @@ static pj_bool_t pubsub_on_rx_subscribe_request(pjsip_rx_data *rdata)
 
        expires_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_EXPIRES, rdata->msg_info.msg->hdr.next);
 
-       if (expires_header && expires_header->ivalue < endpoint->subscription.minexpiry) {
-               ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %u\n",
+       if (expires_header) {
+               if (expires_header->ivalue == 0) {
+                       ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n",
+                               ast_sorcery_object_get_id(endpoint));
+                       pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400, NULL, NULL, NULL);
+                               return PJ_TRUE;
+               }
+               if (expires_header->ivalue < endpoint->subscription.minexpiry) {
+                       ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %d\n",
                                expires_header->ivalue, ast_sorcery_object_get_id(endpoint), endpoint->subscription.minexpiry);
-               pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
-               return PJ_TRUE;
-       }
+                       pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
+                       return PJ_TRUE;
+               }
+        }
 
        handler = subscription_get_handler_from_rdata(rdata);
        if (!handler) {