res_pjsip_pubsub: unauthenticated remote crash in PJSIP pub/sub framework

A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's "sub_min_expiry" is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. The fix was to reject a subscription that is attempting to unsubscribe when not being already subscribed. Asterisk now checks for this situation appropriately and responds with a 400 instead of crashing. AST-2014-005 ASTERISK-23489 #close ........ Merged revisions 415812 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@415813 65c4cc65-6c06-0410-ace0-fbb531ad65f3

res_pjsip_pubsub: unauthenticated remote crash in PJSIP pub/sub framework
870394c0 · Kevin Harwell · e6cb6974 · 870394c0
Commit 870394c0 authored 10 years ago by Kevin Harwell
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@@ -1129,12 +1129,20 @@ static pj_bool_t pubsub_on_rx_subscribe_request(pjsip_rx_data *rdata)

 	expires_header = pjsip_msg_find_hdr(rdata->msg_info.msg, PJSIP_H_EXPIRES, rdata->msg_info.msg->hdr.next);

-	if (expires_header && expires_header->ivalue < endpoint->subscription.minexpiry) {
-		ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %u\n",
+	if (expires_header) {
+		if (expires_header->ivalue == 0) {
+			ast_log(LOG_WARNING, "Susbscription request from endpoint %s rejected. Expiration of 0 is invalid\n",
+				ast_sorcery_object_get_id(endpoint));
+			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 400, NULL, NULL, NULL);
+				return PJ_TRUE;
+		}
+		if (expires_header->ivalue < endpoint->subscription.minexpiry) {
+			ast_log(LOG_WARNING, "Subscription expiration %d is too brief for endpoint %s. Minimum is %d\n",
 				expires_header->ivalue, ast_sorcery_object_get_id(endpoint), endpoint->subscription.minexpiry);
-		pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
-		return PJ_TRUE;
-	}
+			pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 423, NULL, NULL, NULL);
+			return PJ_TRUE;
+		}
+        }

 	handler = subscription_get_handler_from_rdata(rdata);
 	if (!handler) {