From 6b05c47646d226fdf690d037174cc01b02123e9a Mon Sep 17 00:00:00 2001 From: Matthew Jordan Date: Tue, 27 Aug 2013 15:49:14 +0000 Subject: [PATCH] AST-2013-004: Fix crash when handling ACK on dialog that has no channel A remote exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumed that the channel would always be present. This patch adds a check such that the SDP will only be parsed and applied if Asterisk has a channel present that is associated with the dialog. Note that the patch being applied was modified only slightly from the patch provided by Walter Doekes of OSSO B.V. (closes issue ASTERISK-21064) Reported by: Colin Cuthbertson Tested by: wdoekes, Colin Cutherbertson patches: issueA21064_fix.patch uploaded by wdoekes (License 5674) git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@397710 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- channels/chan_sip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/channels/chan_sip.c b/channels/chan_sip.c index 11838711fe..71a640b2ed 100644 --- a/channels/chan_sip.c +++ b/channels/chan_sip.c @@ -26004,7 +26004,7 @@ static int handle_incoming(struct sip_pvt *p, struct sip_request *req, struct as p->invitestate = INV_TERMINATED; p->pendinginvite = 0; acked = __sip_ack(p, seqno, 1 /* response */, 0); - if (find_sdp(req)) { + if (p->owner && find_sdp(req)) { if (process_sdp(p, req, SDP_T38_NONE)) { return -1; } -- 2.47.3