[asterisk-bugs] [JIRA] (ASTERISK-21190) chan_mgcp crash on chunked m= sdp line

adomjan (JIRA) noreply at issues.asterisk.org
Thu Feb 28 06:17:18 CST 2013 

adomjan created ASTERISK-21190:
----------------------------------

             Summary: chan_mgcp crash on chunked m= sdp line
                 Key: ASTERISK-21190
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21190
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Channels/chan_mgcp
    Affects Versions: 11.2.1
         Environment: FC 18
            Reporter: adomjan
            Severity: Critical


I've got from a bugy MTA a chunked message:
200 61838464 OK
I: 11B72

v=0
o=- 61838464 72562 IN IP4 10.252.5.203
s=-
c=IN IP4 10.252.5.203
b=AS:82
t=0 0
m=audio 53


asterisk crashed, when parsed the m line

#0  0x0000003f85478d50 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1  0x00002aaab9a82e12 in process_sdp (sub=0x2aaaac4a3c10, req=0x40cf9010)
    at chan_mgcp.c:2477
	__old = 0x40cfbf61 ""
	__len = <value optimized out>
	__new = <value optimized out>
	m = 0x40cf94b7 "audio 53"
	c = <value optimized out>
	a = <value optimized out>
	host = "10.252.5.203", '\0' <repeats 245 times>
	len = 10922
	portno = 53
	peercapability = <value optimized out>
	peerNonCodecCapability = <value optimized out>
	sin = {sin_family = 2, sin_port = 13568, sin_addr = {

it occured:
if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1) {

the len is unitialized no, the %30d initialized, return value will be 1, but the sscanf() never reach the %n position

fix:
len = 0;
        if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1 || !len) {
                ast_log(LOG_WARNING, "Unable to determine port number or codecs for RTP in '%s'\n", m);
                return -1;
        }

in another usege not needed:
 if (sscanf(codecs, "%30d%n", &codec, &len) != 1) {

if return 1 here, the sscanf always will reach the %n positions

The sip channel driver is effected too many places
in chan_sip.c:
if ((media == SDP_AUDIO && ((sscanf(m, "audio %30u/%30u RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0)

the len value is checked, but missing the len = 0; before sscanf()

all asterisk versions are affected

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list