[Home]

Summary:ASTERISK-14536: [patch] Comfort noise frame with f->data NULL but f->datalen 160
Reporter:Benny Amorsen (amorsen)Labels:
Date Opened:2009-11-13 09:46:15.000-0600Date Closed:2009-11-30 17:58:59.000-0600
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Channels/General
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) cng-crash-backtrace.txt
( 1) comfort.pcap
( 2) issue16242.diff
Description:Asterisk crashed, and the last message was:
[Nov 13 11:19:11] NOTICE[31951] rtp.c: Comfort noise support incomplete in Asterisk (RFC 3389). Please turn off on client if possible. Client IP: 10.6.11.241


****** ADDITIONAL INFORMATION ******

Version is 1.6.0.16-rc2
Comments:By: Benny Amorsen (amorsen) 2009-11-14 08:15:48.000-0600

It happened again, and I had a tcpdump running. Here's what tethereal says:

Frame 14 (215 bytes on wire, 215 bytes captured)
   Arrival Time: Nov 14, 2009 14:35:49.524087000
   [Time delta from previous captured frame: 0.061153000 seconds]
   [Time delta from previous displayed frame: 53.283817000 seconds]
   [Time since reference or first frame: 53.283817000 seconds]
   Frame Number: 14
   Frame Length: 215 bytes
   Capture Length: 215 bytes
   [Frame is marked: False]
   [Protocols in frame: eth:ip:udp:rtp]
Ethernet II, Src: HewlettP_28:02:85 (00:1e:0b:28:02:85), Dst: HewlettP_a9:a9:84 (00:24:81:a9:a9:84)
   Destination: HewlettP_a9:a9:84 (00:24:81:a9:a9:84)
       Address: HewlettP_a9:a9:84 (00:24:81:a9:a9:84)
       .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
   Source: HewlettP_28:02:85 (00:1e:0b:28:02:85)
       Address: HewlettP_28:02:85 (00:1e:0b:28:02:85)
       .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
       .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
   Type: IP (0x0800)
Internet Protocol, Src: 10.6.11.247 (10.6.11.247), Dst: 10.10.42.132 (10.10.42.132)
   Version: 4
   Header length: 20 bytes
   Differentiated Services Field: 0xb8 (DSCP 0x2e: Expedited Forwarding; ECN: 0x00)
       1011 10.. = Differentiated Services Codepoint: Expedited Forwarding (0x2e)
       .... ..0. = ECN-Capable Transport (ECT): 0
       .... ...0 = ECN-CE: 0
   Total Length: 201
   Identification: 0x5f7f (24447)
   Flags: 0x00
       0... = Reserved bit: Not set
       .0.. = Don't fragment: Not set
       ..0. = More fragments: Not set
   Fragment offset: 0
   Time to live: 66
   Protocol: UDP (0x11)
   Header checksum: 0xcd62 [correct]
       [Good: True]
       [Bad : False]
   Source: 10.6.11.247 (10.6.11.247)
   Destination: 10.10.42.132 (10.10.42.132)
User Datagram Protocol, Src Port: 49152 (49152), Dst Port: 14876 (14876)
   Source port: 49152 (49152)
   Destination port: 14876 (14876)
   Length: 181
   Checksum: 0x79ee [correct]
       [Good Checksum: True]
       [Bad Checksum: False]
Real-Time Transport Protocol
   [Stream setup by SDP (frame 12)]
       [Setup frame: 12]
       [Setup Method: SDP]
   10.. .... = Version: RFC 1889 Version (2)
   ..0. .... = Padding: False
   ...0 .... = Extension: False
   .... 0000 = Contributing source identifiers count: 0
   0... .... = Marker: False
   Payload type: Comfort noise (13)
   Sequence number: 22521
   [Extended sequence number: 88057]
   Timestamp: 1801621036
   Synchronization Source identifier: 0x5bac0eac (1538002604)
   Payload: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF...

By: Olle Johansson (oej) 2009-11-19 03:01:17.000-0600

This is quite serious, a packet of death. Let's see if we can force this to happen.

By: Olle Johansson (oej) 2009-11-19 03:17:42.000-0600

Seems like the f->datalen is first set to zero, then reset to the data lenght, which seems silly. Test this patch.

By: Olle Johansson (oej) 2009-11-19 03:18:02.000-0600

And please test if this is repeatable. If so, we have a packet of death.

By: Olle Johansson (oej) 2009-11-19 07:45:56.000-0600

I can crash asterisk 1.6.0 by just sending these evil packets.

By: Olle Johansson (oej) 2009-11-19 08:01:41.000-0600

With the patch, Asterisk 1.6.0 doesn't crash on my mac. Without it, I can repeat the crash.

By: Olle Johansson (oej) 2009-11-19 08:12:12.000-0600

Adding a pcap with the packet

By: Olle Johansson (oej) 2009-11-19 08:18:42.000-0600

Asterisk 1.4 seems to handle it much better. We need the same patch, but the packet doesn't seem to kill Asterisk.

By: Olle Johansson (oej) 2009-11-19 08:26:33.000-0600

Asterisk 1.4 (svn) output:

[Nov 19 15:19:29] DEBUG[73760]: rtp.c:828 process_rfc3389: - RTP 3389 Comfort noise event: Level 0 (len = 161)
[Nov 19 15:19:29] NOTICE[73760]: rtp.c:831 process_rfc3389: Comfort noise support incomplete in Asterisk (RFC 3389). Please turn off on client if possible. Client IP: 10.1.27.90
[Nov 19 15:19:29] WARNING[73760]: chan_sip.c:3961 sip_write: Can't send 10 type frames with SIP write

By: Olle Johansson (oej) 2009-11-19 08:27:15.000-0600

Tested over 3.000 calls with sipp and 1.4 (svn)

By: David Vossel (dvossel) 2009-11-23 17:44:24.000-0600

OEJ, I am unable to test this, but you're patch looks sound.  I'm releasing the security advisory to include your patch.  Do you feel comfortable the patch completely resolves the issue for all 1.2, 1.4, and 1.6.x branches?

By: David Vossel (dvossel) 2009-11-24 15:11:04.000-0600

oej, I reproduced the issue with your pcap file and tested it with sipp. It appears  to completely resolve the issue.

By: Digium Subversion (svnbot) 2009-11-30 11:21:34.000-0600

Repository: asterisk
Revision: 231441

U   branches/1.4/main/rtp.c

------------------------------------------------------------------------
r231441 | dvossel | 2009-11-30 11:21:34 -0600 (Mon, 30 Nov 2009) | 11 lines

fixes crash caused by RTP comfort noise payload greater than 24 bytes

AST-2009-101

(closes issue ASTERISK-14536)
Reported by: amorsen
Patches:
     issue16242.diff uploaded by oej (license 306)
Tested by: amorsen, oej, dvossel


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231441

By: Digium Subversion (svnbot) 2009-11-30 11:29:44.000-0600

Repository: asterisk
Revision: 231441

U   branches/1.4/main/rtp.c

------------------------------------------------------------------------
r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines

fixes crash caused by RTP comfort noise payload greater than 24 bytes

AST-2009-010

(closes issue ASTERISK-14536)
Reported by: amorsen
Patches:
     issue16242.diff uploaded by oej (license 306)
Tested by: amorsen, oej, dvossel


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231441

By: Digium Subversion (svnbot) 2009-11-30 11:35:55.000-0600

Repository: asterisk
Revision: 231491

_U  trunk/
U   trunk/res/res_rtp_asterisk.c

------------------------------------------------------------------------
r231491 | dvossel | 2009-11-30 11:35:54 -0600 (Mon, 30 Nov 2009) | 17 lines

Merged revisions 231441 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
 r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines
 
 fixes crash caused by RTP comfort noise payload greater than 24 bytes
 
 AST-2009-010
 
 (closes issue ASTERISK-14536)
 Reported by: amorsen
 Patches:
       issue16242.diff uploaded by oej (license 306)
 Tested by: amorsen, oej, dvossel
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231491

By: Digium Subversion (svnbot) 2009-11-30 11:38:42.000-0600

Repository: asterisk
Revision: 231505

_U  branches/1.6.2/
U   branches/1.6.2/main/rtp.c

------------------------------------------------------------------------
r231505 | dvossel | 2009-11-30 11:38:41 -0600 (Mon, 30 Nov 2009) | 24 lines

Merged revisions 231491 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r231491 | dvossel | 2009-11-30 11:28:28 -0600 (Mon, 30 Nov 2009) | 17 lines
 
 Merged revisions 231441 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines
   
   fixes crash caused by RTP comfort noise payload greater than 24 bytes
   
   AST-2009-010
   
   (closes issue ASTERISK-14536)
   Reported by: amorsen
   Patches:
         issue16242.diff uploaded by oej (license 306)
   Tested by: amorsen, oej, dvossel
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231505

By: Digium Subversion (svnbot) 2009-11-30 11:40:35.000-0600

Repository: asterisk
Revision: 231512

_U  branches/1.6.1/
U   branches/1.6.1/main/rtp.c

------------------------------------------------------------------------
r231512 | dvossel | 2009-11-30 11:40:35 -0600 (Mon, 30 Nov 2009) | 24 lines

Merged revisions 231491 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r231491 | dvossel | 2009-11-30 11:28:28 -0600 (Mon, 30 Nov 2009) | 17 lines
 
 Merged revisions 231441 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines
   
   fixes crash caused by RTP comfort noise payload greater than 24 bytes
   
   AST-2009-010
   
   (closes issue ASTERISK-14536)
   Reported by: amorsen
   Patches:
         issue16242.diff uploaded by oej (license 306)
   Tested by: amorsen, oej, dvossel
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231512

By: Digium Subversion (svnbot) 2009-11-30 11:41:43.000-0600

Repository: asterisk
Revision: 231517

_U  branches/1.6.0/
U   branches/1.6.0/main/rtp.c

------------------------------------------------------------------------
r231517 | dvossel | 2009-11-30 11:41:43 -0600 (Mon, 30 Nov 2009) | 24 lines

Merged revisions 231491 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r231491 | dvossel | 2009-11-30 11:28:28 -0600 (Mon, 30 Nov 2009) | 17 lines
 
 Merged revisions 231441 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines
   
   fixes crash caused by RTP comfort noise payload greater than 24 bytes
   
   AST-2009-010
   
   (closes issue ASTERISK-14536)
   Reported by: amorsen
   Patches:
         issue16242.diff uploaded by oej (license 306)
   Tested by: amorsen, oej, dvossel
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231517

By: Digium Subversion (svnbot) 2009-11-30 11:43:15.000-0600

Repository: asterisk
Revision: 231518

U   branches/1.2/rtp.c

------------------------------------------------------------------------
r231518 | dvossel | 2009-11-30 11:43:14 -0600 (Mon, 30 Nov 2009) | 10 lines

fixes crash caused by RTP comfort noise payload greater than 24 bytes

AST-2009-010

(closes issue ASTERISK-14536)
Reported by: amorsen
Patches:
     issue16242.diff uploaded by oej (license 306)
Tested by: amorsen, oej, dvossel

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=231518

By: Olle Johansson (oej) 2009-11-30 11:48:06.000-0600

I found no crash issue with 1.4 though - did you?