FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

asterisk -- RTP Resource Exhaustion

Affected packages
asterisk11 < 11.23.1
asterisk13 < 13.11.1

Details

VuXML ID 5cb18881-7604-11e6-b362-001999f8d30b
Discovery 2016-08-05
Entry 2016-09-08

The Asterisk project reports:

The overlap dialing feature in chan_sip allows chan_sip to report to a device that the number that has been dialed is incomplete and more digits are required. If this functionality is used with a device that has performed username/password authentication RTP resources are leaked. This occurs because the code fails to release the old RTP resources before allocating new ones in this scenario. If all resources are used then RTP port exhaustion will occur and no RTP sessions are able to be set up.

If overlap dialing support is not needed the "allowoverlap" option can be set to no. This will stop any usage of the scenario which causes the resource exhaustion.

References

URL http://downloads.asterisk.org/pub/security/AST-2016-007.html