From 7f99c1f7e0c1d34c45af255ef512063fd5c22993 Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Thu, 20 Sep 2018 23:57:34 +0200 Subject: [PATCH] asterisk-13.x: fix for AST-2018-009 Add upstream fix for AST-2018-009: Remote crash vulnerability in HTTP websocket upgrade The vulnerability affects the res_http_websocket.so module. Signed-off-by: Sebastian Kemper --- net/asterisk-13.x/Makefile | 2 +- .../patches/070-AST-2018-009-13.diff | 89 +++++++++++++++++++ 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 net/asterisk-13.x/patches/070-AST-2018-009-13.diff diff --git a/net/asterisk-13.x/Makefile b/net/asterisk-13.x/Makefile index 3212933..b789fbb 100644 --- a/net/asterisk-13.x/Makefile +++ b/net/asterisk-13.x/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=asterisk13 PKG_VERSION:=13.19.2 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=asterisk-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://downloads.asterisk.org/pub/telephony/asterisk/releases/ diff --git a/net/asterisk-13.x/patches/070-AST-2018-009-13.diff b/net/asterisk-13.x/patches/070-AST-2018-009-13.diff new file mode 100644 index 0000000..986810b --- /dev/null +++ b/net/asterisk-13.x/patches/070-AST-2018-009-13.diff @@ -0,0 +1,89 @@ +From e6b0c4d27e0392a7b4b4b6717a6d1e0ea049b550 Mon Sep 17 00:00:00 2001 +From: Sean Bright +Date: Thu, 16 Aug 2018 11:45:53 -0400 +Subject: [PATCH] AST-2018-009: Fix crash processing websocket HTTP Upgrade + requests + +The HTTP request processing in res_http_websocket allocates additional +space on the stack for various headers received during an Upgrade request. +An attacker could send a specially crafted request that causes this code +to overflow the stack, resulting in a crash. + +* No longer allocate memory from the stack in a loop to parse the header +values. NOTE: There is a slight API change when using the passed in +strings as is. We now require the passed in strings to no longer have +leading or trailing whitespace. This isn't a problem as the only callers +have already done this before passing the strings to the affected +function. + +ASTERISK-28013 #close + +Change-Id: Ia564825a8a95e085fd17e658cb777fe1afa8091a +--- + res/res_http_websocket.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/res/res_http_websocket.c b/res/res_http_websocket.c +index 440bf41..0ff876b 100644 +--- a/res/res_http_websocket.c ++++ b/res/res_http_websocket.c +@@ -736,7 +736,8 @@ static void websocket_bad_request(struct ast_tcptls_session_instance *ser) + int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instance *ser, const struct ast_http_uri *urih, const char *uri, enum ast_http_method method, struct ast_variable *get_vars, struct ast_variable *headers) + { + struct ast_variable *v; +- char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL, *requested_protocols = NULL, *protocol = NULL; ++ const char *upgrade = NULL, *key = NULL, *key1 = NULL, *key2 = NULL, *protos = NULL; ++ char *requested_protocols = NULL, *protocol = NULL; + int version = 0, flags = 1; + struct ast_websocket_protocol *protocol_handler = NULL; + struct ast_websocket *session; +@@ -755,16 +756,15 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan + /* Get the minimum headers required to satisfy our needs */ + for (v = headers; v; v = v->next) { + if (!strcasecmp(v->name, "Upgrade")) { +- upgrade = ast_strip(ast_strdupa(v->value)); ++ upgrade = v->value; + } else if (!strcasecmp(v->name, "Sec-WebSocket-Key")) { +- key = ast_strip(ast_strdupa(v->value)); ++ key = v->value; + } else if (!strcasecmp(v->name, "Sec-WebSocket-Key1")) { +- key1 = ast_strip(ast_strdupa(v->value)); ++ key1 = v->value; + } else if (!strcasecmp(v->name, "Sec-WebSocket-Key2")) { +- key2 = ast_strip(ast_strdupa(v->value)); ++ key2 = v->value; + } else if (!strcasecmp(v->name, "Sec-WebSocket-Protocol")) { +- requested_protocols = ast_strip(ast_strdupa(v->value)); +- protos = ast_strdupa(requested_protocols); ++ protos = v->value; + } else if (!strcasecmp(v->name, "Sec-WebSocket-Version")) { + if (sscanf(v->value, "%30d", &version) != 1) { + version = 0; +@@ -778,7 +778,7 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan + ast_sockaddr_stringify(&ser->remote_address)); + ast_http_error(ser, 426, "Upgrade Required", NULL); + return 0; +- } else if (ast_strlen_zero(requested_protocols)) { ++ } else if (ast_strlen_zero(protos)) { + /* If there's only a single protocol registered, and the + * client doesn't specify what protocol it's using, go ahead + * and accept the connection */ +@@ -799,9 +799,12 @@ int AST_OPTIONAL_API_NAME(ast_websocket_uri_cb)(struct ast_tcptls_session_instan + return 0; + } + +- /* Iterate through the requested protocols trying to find one that we have a handler for */ +- while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) { +- protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY); ++ if (!protocol_handler && protos) { ++ requested_protocols = ast_strdupa(protos); ++ /* Iterate through the requested protocols trying to find one that we have a handler for */ ++ while (!protocol_handler && (protocol = strsep(&requested_protocols, ","))) { ++ protocol_handler = ao2_find(server->protocols, ast_strip(protocol), OBJ_KEY); ++ } + } + + /* If no protocol handler exists bump this back to the requester */ +-- +2.7.4 + -- 2.30.2