Summary: | ASTERISK-14536: [patch] Comfort noise frame with f->data NULL but f->datalen 160 | ||
Reporter: | Benny Amorsen (amorsen) | Labels: | |
Date Opened: | 2009-11-13 09:46:15.000-0600 | Date Closed: | 2009-11-30 17:58:59.000-0600 |
Priority: | Critical | Regression? | No |
Status: | Closed/Complete | Components: | Channels/General |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) cng-crash-backtrace.txt ( 1) comfort.pcap ( 2) issue16242.diff | |
Description: | Asterisk crashed, and the last message was: [Nov 13 11:19:11] NOTICE[31951] rtp.c: Comfort noise support incomplete in Asterisk (RFC 3389). Please turn off on client if possible. Client IP: 10.6.11.241 ****** ADDITIONAL INFORMATION ****** Version is 1.6.0.16-rc2 | ||
Comments: | By: Benny Amorsen (amorsen) 2009-11-14 08:15:48.000-0600 It happened again, and I had a tcpdump running. Here's what tethereal says: Frame 14 (215 bytes on wire, 215 bytes captured) Arrival Time: Nov 14, 2009 14:35:49.524087000 [Time delta from previous captured frame: 0.061153000 seconds] [Time delta from previous displayed frame: 53.283817000 seconds] [Time since reference or first frame: 53.283817000 seconds] Frame Number: 14 Frame Length: 215 bytes Capture Length: 215 bytes [Frame is marked: False] [Protocols in frame: eth:ip:udp:rtp] Ethernet II, Src: HewlettP_28:02:85 (00:1e:0b:28:02:85), Dst: HewlettP_a9:a9:84 (00:24:81:a9:a9:84) Destination: HewlettP_a9:a9:84 (00:24:81:a9:a9:84) Address: HewlettP_a9:a9:84 (00:24:81:a9:a9:84) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: HewlettP_28:02:85 (00:1e:0b:28:02:85) Address: HewlettP_28:02:85 (00:1e:0b:28:02:85) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 10.6.11.247 (10.6.11.247), Dst: 10.10.42.132 (10.10.42.132) Version: 4 Header length: 20 bytes Differentiated Services Field: 0xb8 (DSCP 0x2e: Expedited Forwarding; ECN: 0x00) 1011 10.. = Differentiated Services Codepoint: Expedited Forwarding (0x2e) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 201 Identification: 0x5f7f (24447) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 66 Protocol: UDP (0x11) Header checksum: 0xcd62 [correct] [Good: True] [Bad : False] Source: 10.6.11.247 (10.6.11.247) Destination: 10.10.42.132 (10.10.42.132) User Datagram Protocol, Src Port: 49152 (49152), Dst Port: 14876 (14876) Source port: 49152 (49152) Destination port: 14876 (14876) Length: 181 Checksum: 0x79ee [correct] [Good Checksum: True] [Bad Checksum: False] Real-Time Transport Protocol [Stream setup by SDP (frame 12)] [Setup frame: 12] [Setup Method: SDP] 10.. .... = Version: RFC 1889 Version (2) ..0. .... = Padding: False ...0 .... = Extension: False .... 0000 = Contributing source identifiers count: 0 0... .... = Marker: False Payload type: Comfort noise (13) Sequence number: 22521 [Extended sequence number: 88057] Timestamp: 1801621036 Synchronization Source identifier: 0x5bac0eac (1538002604) Payload: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF... By: Olle Johansson (oej) 2009-11-19 03:01:17.000-0600 This is quite serious, a packet of death. Let's see if we can force this to happen. By: Olle Johansson (oej) 2009-11-19 03:17:42.000-0600 Seems like the f->datalen is first set to zero, then reset to the data lenght, which seems silly. Test this patch. By: Olle Johansson (oej) 2009-11-19 03:18:02.000-0600 And please test if this is repeatable. If so, we have a packet of death. By: Olle Johansson (oej) 2009-11-19 07:45:56.000-0600 I can crash asterisk 1.6.0 by just sending these evil packets. By: Olle Johansson (oej) 2009-11-19 08:01:41.000-0600 With the patch, Asterisk 1.6.0 doesn't crash on my mac. Without it, I can repeat the crash. By: Olle Johansson (oej) 2009-11-19 08:12:12.000-0600 Adding a pcap with the packet By: Olle Johansson (oej) 2009-11-19 08:18:42.000-0600 Asterisk 1.4 seems to handle it much better. We need the same patch, but the packet doesn't seem to kill Asterisk. By: Olle Johansson (oej) 2009-11-19 08:26:33.000-0600 Asterisk 1.4 (svn) output: [Nov 19 15:19:29] DEBUG[73760]: rtp.c:828 process_rfc3389: - RTP 3389 Comfort noise event: Level 0 (len = 161) [Nov 19 15:19:29] NOTICE[73760]: rtp.c:831 process_rfc3389: Comfort noise support incomplete in Asterisk (RFC 3389). Please turn off on client if possible. Client IP: 10.1.27.90 [Nov 19 15:19:29] WARNING[73760]: chan_sip.c:3961 sip_write: Can't send 10 type frames with SIP write By: Olle Johansson (oej) 2009-11-19 08:27:15.000-0600 Tested over 3.000 calls with sipp and 1.4 (svn) By: David Vossel (dvossel) 2009-11-23 17:44:24.000-0600 OEJ, I am unable to test this, but you're patch looks sound. I'm releasing the security advisory to include your patch. Do you feel comfortable the patch completely resolves the issue for all 1.2, 1.4, and 1.6.x branches? By: David Vossel (dvossel) 2009-11-24 15:11:04.000-0600 oej, I reproduced the issue with your pcap file and tested it with sipp. It appears to completely resolve the issue. By: Digium Subversion (svnbot) 2009-11-30 11:21:34.000-0600 Repository: asterisk Revision: 231441 U branches/1.4/main/rtp.c ------------------------------------------------------------------------ r231441 | dvossel | 2009-11-30 11:21:34 -0600 (Mon, 30 Nov 2009) | 11 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-101 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231441 By: Digium Subversion (svnbot) 2009-11-30 11:29:44.000-0600 Repository: asterisk Revision: 231441 U branches/1.4/main/rtp.c ------------------------------------------------------------------------ r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-010 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231441 By: Digium Subversion (svnbot) 2009-11-30 11:35:55.000-0600 Repository: asterisk Revision: 231491 _U trunk/ U trunk/res/res_rtp_asterisk.c ------------------------------------------------------------------------ r231491 | dvossel | 2009-11-30 11:35:54 -0600 (Mon, 30 Nov 2009) | 17 lines Merged revisions 231441 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-010 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231491 By: Digium Subversion (svnbot) 2009-11-30 11:38:42.000-0600 Repository: asterisk Revision: 231505 _U branches/1.6.2/ U branches/1.6.2/main/rtp.c ------------------------------------------------------------------------ r231505 | dvossel | 2009-11-30 11:38:41 -0600 (Mon, 30 Nov 2009) | 24 lines Merged revisions 231491 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r231491 | dvossel | 2009-11-30 11:28:28 -0600 (Mon, 30 Nov 2009) | 17 lines Merged revisions 231441 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-010 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231505 By: Digium Subversion (svnbot) 2009-11-30 11:40:35.000-0600 Repository: asterisk Revision: 231512 _U branches/1.6.1/ U branches/1.6.1/main/rtp.c ------------------------------------------------------------------------ r231512 | dvossel | 2009-11-30 11:40:35 -0600 (Mon, 30 Nov 2009) | 24 lines Merged revisions 231491 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r231491 | dvossel | 2009-11-30 11:28:28 -0600 (Mon, 30 Nov 2009) | 17 lines Merged revisions 231441 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-010 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231512 By: Digium Subversion (svnbot) 2009-11-30 11:41:43.000-0600 Repository: asterisk Revision: 231517 _U branches/1.6.0/ U branches/1.6.0/main/rtp.c ------------------------------------------------------------------------ r231517 | dvossel | 2009-11-30 11:41:43 -0600 (Mon, 30 Nov 2009) | 24 lines Merged revisions 231491 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r231491 | dvossel | 2009-11-30 11:28:28 -0600 (Mon, 30 Nov 2009) | 17 lines Merged revisions 231441 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r231441 | dvossel | 2009-11-30 11:14:08 -0600 (Mon, 30 Nov 2009) | 11 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-010 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231517 By: Digium Subversion (svnbot) 2009-11-30 11:43:15.000-0600 Repository: asterisk Revision: 231518 U branches/1.2/rtp.c ------------------------------------------------------------------------ r231518 | dvossel | 2009-11-30 11:43:14 -0600 (Mon, 30 Nov 2009) | 10 lines fixes crash caused by RTP comfort noise payload greater than 24 bytes AST-2009-010 (closes issue ASTERISK-14536) Reported by: amorsen Patches: issue16242.diff uploaded by oej (license 306) Tested by: amorsen, oej, dvossel ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=231518 By: Olle Johansson (oej) 2009-11-30 11:48:06.000-0600 I found no crash issue with 1.4 though - did you? |