Package: asterisk
Version: 1.2.10.dfsg-1
Severity: grave
Tags: security patch
A problem has been discovered in the IAX2 channel driver of Asterisk,
an Open Source Private Branch Exchange and telephony toolkit, which
may allow a remote to cause au crash of the Asterisk server.
The patch used for security is attached.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
#! /bin/sh /usr/share/dpatch/dpatch-run
## 99_CVE-2006-2898.dpatch by Joey Schulze [EMAIL PROTECTED]
##
## DP: Bug in the IAX2 channel allows remote attackers to craft
## DP: a denial of service.
@DPATCH@
--- asterisk-1.0.7.dfsg.1.orig/channels/chan_iax2.c 2005-03-18
18:30:05.0 +0100
++ asterisk-1.0.7.dfsg.1/channels/chan_iax2.c 2006-06-07 08:17:19.0
+0200
@@ -5064,10 +5064,20 @@ static int socket_read(int *id, int fd,
return 1;
}
if ((vh-zeros == 0) (ntohs(vh-callno) 0x8000)) {
+ if (res sizeof(*vh)) {
+ ast_log(LOG_WARNING, Rejecting packet from '%s.%d'
that is flagged as a mini video frame but is too short\n, ast_inet_ntoa(iabuf,
sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+ return 1;
+
+ }
/* This is a video frame, get call number */
fr.callno = find_callno(ntohs(vh-callno) ~0x8000, dcallno,
sin, new, 1);
minivid = 1;
- } else if (meta-zeros == 0) {
+ } else if ((meta-zeros == 0) !(ntohs(meta-metacmd) 0x8000)) {
+ if (res sizeof(*meta)) {
+ ast_log(LOG_WARNING, Rejecting packet from '%s.%d'
that is flagged as a meta frame but is too short\n, ast_inet_ntoa(iabuf,
sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+ return 1;
+
+ }
/* This is a meta header */
switch(meta-metacmd) {
case IAX_META_TRUNK:
@@ -5164,7 +5174,7 @@ static int socket_read(int *id, int fd,
if (iaxdebug)
iax_showframe(NULL, fh, 1, sin, res - sizeof(struct
ast_iax2_full_hdr));
#endif
- if (ntohs(mh-callno) IAX_FLAG_FULL) {
+ if ((res = sizeof(*fh)) ntohs(mh-callno) IAX_FLAG_FULL) {
/* Get the destination call number */
dcallno = ntohs(fh-dcallno) ~IAX_FLAG_RETRANS;
/* Retrieve the type and subclass */