[asterisk-bugs] [Asterisk 0017976]: Asterisk Crash on RTCP package in SRTP mode

Thu Apr 7 23:33:46 CDT 2011

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17976 
====================================================================== 
Reported By:                bernhards
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17976
Category:                   Resources/res_srtp
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     acknowledged
Asterisk Version:           SVN 
JIRA:                       SWP-2196 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): 1.8 
SVN Revision (number only!): 285988 
Request Review:              
====================================================================== 
Date Submitted:             2010-09-10 01:52 CDT
Last Modified:              2011-04-07 23:33 CDT
====================================================================== 
Summary:                    Asterisk Crash on RTCP package in SRTP mode
Description: 
"snom360-SIP 8.4.18 42570" connected to Asterisk with TLS. snom makes an
outbound call to another phone (without srtp). Other telephone does ring -
then Asterisk does crash. 

libsrtp version 1.4.4. was used - without a change.
====================================================================== 

---------------------------------------------------------------------- 
 (0133524) rshpount (reporter) - 2011-04-07 23:33
 https://issues.asterisk.org/view.php?id=17976#c133524 
---------------------------------------------------------------------- 
There is an invalid index access in rdb.c when adding an index. When the
sequence number of the SRTCP packet is outside of window by more then
window size, a bit is set outside of the window bitmap. When sequence
number is outside of the window size by more then one, a wrong bit is set.
Here is the proposed fix.

In the current code in rdb.c:
err_status_t
rdb_add_index(rdb_t *rdb, uint32_t index) {
  uint32_t delta;  

  /* here we *assume* that index > rdb->window_start */

  delta = (index - rdb->window_start);    
  if (delta < rdb_bits_in_bitmask) {

    /* if the index is within the window, set the appropriate bit */
    v128_set_bit(&rdb->bitmask, delta);

  } else { 

    delta -= rdb_bits_in_bitmask - 1;

    /* shift the window forward by delta bits*/
    v128_left_shift(&rdb->bitmask, delta);
    v128_set_bit(&rdb->bitmask, rdb_bits_in_bitmask-delta);
    rdb->window_start += delta;

  }    

  return err_status_ok;
}

It should be:

err_status_t
rdb_add_index(rdb_t *rdb, uint32_t index) {
  uint32_t delta;  

  /* here we *assume* that index > rdb->window_start */

  delta = (index - rdb->window_start);    
  if (delta < rdb_bits_in_bitmask) {

    /* if the index is within the window, set the appropriate bit */
    v128_set_bit(&rdb->bitmask, delta);

  } else { 

    delta -= rdb_bits_in_bitmask - 1;

    /* shift the window forward by delta bits*/
    v128_left_shift(&rdb->bitmask, delta);
    v128_set_bit(&rdb->bitmask, rdb_bits_in_bitmask-1);
    rdb->window_start += delta;

  }    

  return err_status_ok;
} 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2011-04-07 23:33 rshpount       Note Added: 0133524                          
======================================================================