Details
Description
There is logic in res_rtp_asterisk which handles RTCP RR/SR record report blocks. This code was originally written to handle a single RR/SR report but during HEP work the code was changed so multiple RR/SR reports could be handled. However, report_counter is not reset between processing RR/SR records which can result in writing outside of allocated memory on the next RR/SR record in the packet.
Issue Links
- is duplicated by
-
ASTERISK-27382
crash after an invalid rtcp packet from GT48 FXS gateway
-
- Closed
-
- is a clone of
-
SWP-10081 Loading...
I have attached the draft security advisory and patch which is currently up for review that resolves the problem. I do not currently have a time frame for when a release will occur that incorporates it but will update this issue when I do.