Bug#380054: CVE-2006-2898: Denial of service in Asterisk

Martin Schulze joey at infodrom.org
Thu Jul 27 06:34:17 UTC 2006


Package: asterisk
Version: 1.2.10.dfsg-1
Severity: grave
Tags: security patch

A problem has been discovered in the IAX2 channel driver of Asterisk,
an Open Source Private Branch Exchange and telephony toolkit, which
may allow a remote to cause au crash of the Asterisk server.

The patch used for security is attached.

Regards,

	Joey


-- 
It's time to close the windows.

Please always Cc to me when replying to me on the lists.
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_CVE-2006-2898.dpatch by Joey Schulze <joey at debian.org>
##
## DP: Bug in the IAX2 channel allows remote attackers to craft
## DP: a denial of service.

@DPATCH@
--- asterisk-1.0.7.dfsg.1.orig/channels/chan_iax2.c	2005-03-18 18:30:05.000000000 +0100
 ++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c	2006-06-07 08:17:19.000000000 +0200
@@ -5064,10 +5064,20 @@ static int socket_read(int *id, int fd, 
 		return 1;
 	}
 	if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000)) {
+		if (res < sizeof(*vh)) {
+			ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a mini video frame but is too short\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+			return 1;
+			
+		}
 		/* This is a video frame, get call number */
 		fr.callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1);
 		minivid = 1;
-	} else if (meta->zeros == 0) {
+	} else if ((meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
+		if (res < sizeof(*meta)) {
+			ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a meta frame but is too short\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+			return 1;
+			
+		}
 		/* This is a meta header */
 		switch(meta->metacmd) {
 		case IAX_META_TRUNK:
@@ -5164,7 +5174,7 @@ static int socket_read(int *id, int fd, 
 	if (iaxdebug)
 		iax_showframe(NULL, fh, 1, &sin, res - sizeof(struct ast_iax2_full_hdr));
 #endif
-	if (ntohs(mh->callno) & IAX_FLAG_FULL) {
+	if ((res >= sizeof(*fh)) && ntohs(mh->callno) & IAX_FLAG_FULL) {
 		/* Get the destination call number */
 		dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
 		/* Retrieve the type and subclass */


More information about the Pkg-voip-maintainers mailing list