[asterisk-bugs] [Asterisk 0014000]: Wrong usage of sscanf with use of uninitialized variable caused accidental parsing of RTP/SAVP

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Dec 1 07:36:42 CST 2008 

The following issue has been SUBMITTED. 
====================================================================== 
http://bugs.digium.com/view.php?id=14000 
====================================================================== 
Reported By:                folke
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   14000
Category:                   Channels/chan_sip/CodecHandling
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!): 159896 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-12-01 07:36 CST
Last Modified:              2008-12-01 07:36 CST
====================================================================== 
Summary:                    Wrong usage of sscanf with use of uninitialized
variable caused accidental parsing of RTP/SAVP
Description: 
Hi folks!

We are Nortel VoIP-PBX Supporter and have a customer with as SIP-Trunk
between Nortel CS1000 and Asterisk. Worked fine. After an upgrade on Nortel
PBX to a new MediaGatewayCard (MC32s) no calls could be established. The
Nortel offers after the upgrade next to RTP also SRTP. 

But asterisk accidentaly parses also the m=audio line with RTP/SAVP in the
incoming SDP-Message causing to refused the call ('488 Not acceptable').

It was because a sscanf is used in chan_sip.c / process_sdp() to compare
and examine the 'm=audio' in a wrong way. As soon as the line starts with
'audio ' followed by a number, sscanf returns '1' regardless of the rest of
the line. The result of '%n' variable of sscanf was then used unitialized.

With my fix now chan_sip ignores now the 'm=audio ... RTP/SAVP' lines and
everything is fine.

see details

patch available


====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-12-01 07:36 folke          New Issue                                    
2008-12-01 07:36 folke          Asterisk Version          => SVN             
2008-12-01 07:36 folke          SVN Branch (only for SVN checkouts, not tarball
releases) =>  trunk          
2008-12-01 07:36 folke          SVN Revision (number only!) => 159896          
======================================================================

More information about the asterisk-bugs mailing list