Control: -1 + patch On Tue, Nov 11, 2014 at 10:56:34AM +0100, Dirk Teurlings - SIGNET B.V. wrote: > > Looking into this I found that in chan_sip.c in function build_route > there is a definition of 'char rr_copy[256]' (line 14252). This is > too small as you can see. My proposed fix would be to enlarge this > field to a bigger value.
Converted into a patch. Find it attached. > For now I have set mine to 8192. This completely resolves the issue. To avoid the risc of memory exhausting enlarged from 256 to 512. Groeten Geert Stappers -- Leven en laten leven
From 940660f2d8f4e4551044032350bf5008c95317a0 Mon Sep 17 00:00:00 2001
From: Stappers Geert <stapp...@paddy.gpm.stappers.nl>
Date: Sat, 13 Dec 2014 13:44:11 +0100
Subject: [PATCH] Transformed #769108 into a patch.
It is against the Wheezy branch
modified: debian/changelog
new file: debian/patches/rr_copy_array_too_small
modified: debian/patches/series
---
debian/changelog | 8 +++++--
debian/patches/rr_copy_array_too_small | 41 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 48 insertions(+), 2 deletions(-)
create mode 100644 debian/patches/rr_copy_array_too_small
diff --git a/debian/changelog b/debian/changelog
index 782bafc..552b920 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,13 @@
-asterisk (1:1.8.13.1~dfsg1-3+deb7u4) UNRELEASED; urgency=low
+asterisk (1:1.8.13.1~dfsg1-3+deb7u4.1) UNRELEASED; urgency=low
+ [ Tzafrir Cohen ]
* Patch AST-2014-001 (CVE-2014-2286) - Stack overflow in HTTP processing
of Cookie headers.
- -- Tzafrir Cohen <tzaf...@debian.org> Wed, 12 Mar 2014 22:50:01 +0200
+ [ Stappers Geert ]
+ * rr_copy array in chan_sip.c larger (Closes: #769108)
+
+ -- Stappers Geert <stapp...@debian.org> Sat, 13 Dec 2014 13:29:15 +0100
asterisk (1:1.8.13.1~dfsg1-3+deb7u3) stable-security; urgency=high
diff --git a/debian/patches/rr_copy_array_too_small b/debian/patches/rr_copy_array_too_small
new file mode 100644
index 0000000..9af380b
--- /dev/null
+++ b/debian/patches/rr_copy_array_too_small
@@ -0,0 +1,41 @@
+Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769108
+Author: "Dirk Teurlings - SIGNET B.V." <dteurli...@signet.nl>
+Description: rr_copy array too small for some record-route headers
+
+Connecting with Microsoft Lync through one or more SIP proxies fails when
+the Record-Route value exceeds 256 characters in length. Asterisk's log
+shows the following warning message:
+
+[Nov 10 16:11:04] WARNING[22109]: sip/reqresp_parser.c:1070
+ get_in_brackets_full: No closing bracket found in
+ '<sip:192.168.10.2;r2=on;lr;ftag=as36b4c879;vsf=AAAAAAAAAAA'
+
+where the complete Record-Route was:
+<sip:127.1.2.3;line=sr-EcmQ.7qAr7xCqCtAi7V9q7qy.13CnXJzETMC8bByn1ehE7xMPcthPLxh6-3R6zBREzEzianBn7eQ.16z67Bwusjwusjwusjwusjwusjwusjwusjwu2iY3smwsaAQdBjXOKjw3-RgsaElrdl2OXuM67qAr7YU67KhPajyogmmEQ**>,<sip:192.168.10.2;r2=on;lr;ftag=as736f5b00;vsf=AAAAAAAAAAAAAAAAAAAAAABCUEIARlpOQVhAAFxWRg--;did=f31.5bf1;nat=yes>.
+
+As you can see it cuts the Record-Route string short at exactly 256 chars.
+
+Looking into this I found that in chan_sip.c in function build_route
+there is a definition of 'char rr_copy[256]' (line 14252). This is too
+small as you can see. My proposed fix would be to enlarge this field to
+a bigger value. For now I have set mine to 8192. This completely resolves
+the issue.
+
+
+Transforming that information into an unified diff was
+done by Geert Stappers <stapp...@stappers.nl>.
+
+Stappers choose for s/256/512/ to avoid the risc of memory exhausting.
+
+
+--- a/channels/chan_sip.c
++++ b/channels/chan_sip.c
+@@ -14231,7 +14231,7 @@ static void build_route(struct sip_pvt *p, struct sip_request *req, int backward
+ /* 1st we pass through all the hops in any Record-Route headers */
+ for (;;) {
+ /* Each Record-Route header */
+- char rr_copy[256];
++ char rr_copy[512];
+ char *rr_copy_ptr;
+ char *rr_iter;
+ rr = __get_header(req, "Record-Route", &start);
diff --git a/debian/patches/series b/debian/patches/series
index 1922f76..96c133f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,6 +25,7 @@ kfreebsd
menuselect_cflags
ilbc_disable
httpd_port
+rr_copy_array_too_small
AST-2012-012
AST-2012-013
--
2.1.3
signature.asc
Description: Digital signature
