From a877e0d94b263bcb3d2b378dc952b759d58a2b43 Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Mon, 28 Sep 2015 17:07:42 -0500
Subject: [PATCH] AST-2016-002 chan_sip.c: Fix retransmission timeout integer
 overflow.

Setting the sip.conf timert1 value to a value higher than 1245 can cause
an integer overflow and result in large retransmit timeout times.  These
large timeout times hold system file descriptors hostage and can cause the
system to run out of file descriptors.

NOTE: The default sip.conf timert1 value is 500 which does not expose the
vulnerability.

* The overflow is now detected and the previous timeout time is
calculated.

ASTERISK-25397 #close
Reported by: Alexander Traud

Change-Id: Ia7231f2f415af1cbf90b923e001b9219cff46290
---
 channels/chan_sip.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 10b0d23f2d..aaf0b6d51d 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -3970,6 +3970,13 @@ static int retrans_pkt(const void *data)
 			}
 
 			/* For non-invites, a maximum of 4 secs */
+			if (INT_MAX / pkt->timer_a < pkt->timer_t1) {
+				/*
+				 * Uh Oh, we will have an integer overflow.
+				 * Recalculate previous timeout time instead.
+				 */
+				pkt->timer_a = pkt->timer_a / 2;
+			}
 			siptimer_a = pkt->timer_t1 * pkt->timer_a;	/* Double each time */
 			if (pkt->method != SIP_INVITE && siptimer_a > 4000) {
 				siptimer_a = 4000;
-- 
2.47.2