ASTERISK-27429: res_rtp_asterisk: Multiple reports in an RTCP packet will write past where it should

[Home]

Summary: ASTERISK-27429: res_rtp_asterisk: Multiple reports in an RTCP packet will write past where it should

Reporter: Vitezslav Novy (vnovy) Labels: patch

Date Opened: 2017-11-17 05:36:15.000-0600 Date Closed: 2017-12-13 07:52:43.000-0600

Priority: Major Regression?

Status: Closed/Complete Components: Resources/res_rtp_asterisk

Versions: 13.18.2 14.7.2 15.1.2 Frequency of
Occurrence

Related
Issues:
is duplicated by ASTERISK-27382 crash after an invalid rtcp packet from GT48 FXS gateway

Environment: Attachments: ( 0) AST-2017-012.txt
( 1) AST-2017-012-13.diff

Description: There is logic in res_rtp_asterisk which handles RTCP RR/SR record report blocks. This code was originally written to handle a single RR/SR report but during HEP work the code was changed so multiple RR/SR reports could be handled. However, report_counter is not reset between processing RR/SR records which can result in writing outside of allocated memory on the next RR/SR record in the packet.

Comments: By: Joshua C. Colp (jcolp) 2017-11-30 18:51:39.405-0600

I have attached the draft security advisory and patch which is currently up for review that resolves the problem. I do not currently have a time frame for when a release will occur that incorporates it but will update this issue when I do.
By: Joshua C. Colp (jcolp) 2017-12-12 09:25:57.894-0600

The release time for the security release is looking like tomorrow.
By: Friendly Automation (friendly-automation) 2017-12-13 07:52:44.400-0600

Change 7549 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7549|https://gerrit.asterisk.org/7549]
By: Friendly Automation (friendly-automation) 2017-12-13 07:52:46.982-0600

Change 7550 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7550|https://gerrit.asterisk.org/7550]
By: Friendly Automation (friendly-automation) 2017-12-13 07:52:49.541-0600

Change 7554 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7554|https://gerrit.asterisk.org/7554]
By: Friendly Automation (friendly-automation) 2017-12-13 07:52:51.987-0600

Change 7553 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7553|https://gerrit.asterisk.org/7553]
By: Friendly Automation (friendly-automation) 2017-12-13 07:53:15.294-0600

Change 7552 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7552|https://gerrit.asterisk.org/7552]
By: Friendly Automation (friendly-automation) 2017-12-13 07:53:17.833-0600

Change 7551 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7551|https://gerrit.asterisk.org/7551]
By: Friendly Automation (friendly-automation) 2017-12-13 08:30:24.111-0600

Change 7556 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7556|https://gerrit.asterisk.org/7556]
By: Friendly Automation (friendly-automation) 2017-12-13 08:30:26.183-0600

Change 7557 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7557|https://gerrit.asterisk.org/7557]
By: Friendly Automation (friendly-automation) 2017-12-13 08:30:29.656-0600

Change 7555 merged by George Joseph:
AST-2017-012: Place single RTCP report block at beginning of report.

[https://gerrit.asterisk.org/7555|https://gerrit.asterisk.org/7555]