Remote crash vulnerability was reported in all Asterisk 11.x versions before 11.14.2.
When handling a WebSocket frame the res_http_websocket module dynamically changes the size of the memory used to allow the provided payload to fit. If a payload length of zero was received the code would incorrectly attempt to resize to zero. This operation would succeed and end up freeing the memory but be treated as a failure. When the session was subsequently torn down this memory would get freed yet again causing a crash.
Upstream bug for this:
Upstream patches are available:
This is fixed in Asterisk Open Source 11.14.2
Created asterisk tracking bugs for this issue:
Affects: fedora-all [bug 1173003]
MITRE assigned CVE-2014-9374 to this issue.
asterisk-11.17.1-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.