| Summary: | ASTERISK-21190: chan_mgcp crash on chunked m= sdp line | ||
| Reporter: | adomjan (adomjan) | Labels: | |
| Date Opened: | 2013-02-28 06:16:42.000-0600 | Date Closed: | 2013-10-23 10:25:01 |
| Priority: | Critical | Regression? | |
| Status: | Closed/Complete | Components: | Channels/chan_mgcp |
| Versions: | 11.2.1 | Frequency of Occurrence | One Time |
| Related Issues: | |||
| Environment: | FC 18 | Attachments: | ( 0) chan_mgcp.c-sscnaf_fix |
| Description: | I've got from a bugy MTA a chunked message:
{noformat} 200 61838464 OK I: 11B72 v=0 o=- 61838464 72562 IN IP4 10.252.5.203 s=- c=IN IP4 10.252.5.203 b=AS:82 t=0 0 m=audio 53 {noformat} asterisk crashed, when parsed the m line {noformat} #0 0x0000003f85478d50 in strlen () from /lib64/libc.so.6 No symbol table info available. #1 0x00002aaab9a82e12 in process_sdp (sub=0x2aaaac4a3c10, req=0x40cf9010) at chan_mgcp.c:2477 __old = 0x40cfbf61 "" __len = <value optimized out> __new = <value optimized out> m = 0x40cf94b7 "audio 53" c = <value optimized out> a = <value optimized out> host = "10.252.5.203", '\0' <repeats 245 times> len = 10922 portno = 53 peercapability = <value optimized out> peerNonCodecCapability = <value optimized out> sin = {sin_family = 2, sin_port = 13568, sin_addr = { {noformat} it occured: {noformat} if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1) { {noformat} the len is unitialized no, the %30d initialized, return value will be 1, but the sscanf() never reach the %n position fix: {noformat} len = 0; if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1 || !len) { ast_log(LOG_WARNING, "Unable to determine port number or codecs for RTP in '%s'\n", m); return -1; } {noformat} in another usege not needed: {noformat} if (sscanf(codecs, "%30d%n", &codec, &len) != 1) { {noformat} if return 1 here, the sscanf always will reach the %n positions The sip channel driver is effected too many places in chan_sip.c: {noformat} if ((media == SDP_AUDIO && ((sscanf(m, "audio %30u/%30u RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0) {noformat} the len value is checked, but missing the len = 0; before sscanf() all asterisk versions are affected | ||
| Comments: | By: Rusty Newton (rnewton) 2013-03-01 09:31:50.006-0600 Thanks for the patch! Since chan_mgcp is extended support and supported by the community (and I don't think we have a current official chan_mgcp maintainer) response times will reflect that. If you need this merged in soon you can always ask someone on the asterisk-dev list or in the #asterisk-dev chat to see if they want to review, test and push it through. By: Kinsey Moore (kmoore) 2013-10-23 10:19:44.548-0500 It appears that this does not affect chan_sip since it already accounts for length not being set properly. This will be going into 1.8, 11, 12, and trunk shortly. | ||