From 2387ec07a4ab728627e2d21b6c84e01166a3912e Mon Sep 17 00:00:00 2001 From: Sebastian Kemper Date: Wed, 12 Sep 2018 20:29:55 +0200 Subject: [PATCH] kamailio-4.x: add fix for CVE-2018-16657 In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with an invalid Via header causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the crcitt_string_array core function for calculating a CRC hash for To tags. (An additional error is present in the check_via_address core function: this function also misses input validation.) This could result in denial of service and potentially the execution of arbitrary code. Patch from upstream. File paths amended for 4.x release. Signed-off-by: Sebastian Kemper --- net/kamailio-4.x/Makefile | 2 +- .../patches/131-CVE-2018-16657.patch | 46 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 net/kamailio-4.x/patches/131-CVE-2018-16657.patch diff --git a/net/kamailio-4.x/Makefile b/net/kamailio-4.x/Makefile index 1974540..df5e616 100644 --- a/net/kamailio-4.x/Makefile +++ b/net/kamailio-4.x/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=kamailio4 PKG_VERSION:=4.4.7 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE_URL:=https://www.kamailio.org/pub/kamailio/$(PKG_VERSION)/src/ PKG_SOURCE:=kamailio-$(PKG_VERSION)$(PKG_VARIANT)_src.tar.gz diff --git a/net/kamailio-4.x/patches/131-CVE-2018-16657.patch b/net/kamailio-4.x/patches/131-CVE-2018-16657.patch new file mode 100644 index 0000000..f38b8a8 --- /dev/null +++ b/net/kamailio-4.x/patches/131-CVE-2018-16657.patch @@ -0,0 +1,46 @@ +commit d67b2f9874ca23bd69f18df71b8f53b1b6151f6d +Author: Henning Westerholt +Date: Sun Jun 3 20:59:32 2018 +0200 + + core: improve header safe guards for Via handling + + (cherry picked from commit ad68e402ece8089f133c10de6ce319f9e28c0692) + +diff --git a/crc.c b/crc.c +index 462846324..23b2876ec 100644 +--- a/crc.c ++++ b/crc.c +@@ -231,6 +231,8 @@ void crcitt_string_array( char *dst, str src[], int size ) + ccitt = 0xFFFF; + str_len=CRC16_LEN; + for (i=0; is[name->len-1]==']')&& + (strncasecmp(name->s+1, s, len)==0)) + ) +- ) ++ ) { + return 0; +- else +- ++ } ++ else { ++ if (unlikely(name->s==NULL)) { ++ LM_CRIT("invalid Via host name\n"); ++ return -1; ++ } + if (strncmp(name->s, s, name->len)==0) + return 0; ++ } + }else{ + LM_CRIT("could not convert ip address\n"); + return -1; -- 2.30.2