Headline
CVE-2021-32686
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
There are a couple of issues found in the SSL socket:
- A race condition between callback and destroy, due to the accepted socket having no group lock.
- SSL socket parent/listener may get destroyed during handshake.
Impact
Both issues were reported to happen intermittently in heavy load TLS connections on the server. They cause a crash, resulting in a denial of service. Client apps are typically not affected unless they accept incoming TLS connections and anticipate many such connections.
Patches
The patch is available in commit d5f95aa.
For more information
If you have any questions or comments about this advisory:
Email us at [email protected]
Related news
Gentoo Linux Security Advisory 202210-37 - Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. Versions less than 2.12.1 are affected.