[asterisk-bugs] [JIRA] (ASTERISK-21190) chan_mgcp crash on chunked m= sdp line
Rusty Newton (JIRA)
noreply at issues.asterisk.org
Fri Mar 1 09:40:18 CST 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21190?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rusty Newton updated ASTERISK-21190:
------------------------------------
Description:
I've got from a bugy MTA a chunked message:
{noformat}
200 61838464 OK
I: 11B72
v=0
o=- 61838464 72562 IN IP4 10.252.5.203
s=-
c=IN IP4 10.252.5.203
b=AS:82
t=0 0
m=audio 53
{noformat}
asterisk crashed, when parsed the m line
{noformat}
#0 0x0000003f85478d50 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1 0x00002aaab9a82e12 in process_sdp (sub=0x2aaaac4a3c10, req=0x40cf9010)
at chan_mgcp.c:2477
__old = 0x40cfbf61 ""
__len = <value optimized out>
__new = <value optimized out>
m = 0x40cf94b7 "audio 53"
c = <value optimized out>
a = <value optimized out>
host = "10.252.5.203", '\0' <repeats 245 times>
len = 10922
portno = 53
peercapability = <value optimized out>
peerNonCodecCapability = <value optimized out>
sin = {sin_family = 2, sin_port = 13568, sin_addr = {
{noformat}
it occured:
{noformat}
if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1) {
{noformat}
the len is unitialized no, the %30d initialized, return value will be 1, but the sscanf() never reach the %n position
fix:
{noformat}
len = 0;
if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1 || !len) {
ast_log(LOG_WARNING, "Unable to determine port number or codecs for RTP in '%s'\n", m);
return -1;
}
{noformat}
in another usege not needed:
{noformat}
if (sscanf(codecs, "%30d%n", &codec, &len) != 1) {
{noformat}
if return 1 here, the sscanf always will reach the %n positions
The sip channel driver is effected too many places
in chan_sip.c:
{noformat}
if ((media == SDP_AUDIO && ((sscanf(m, "audio %30u/%30u RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0)
{noformat}
the len value is checked, but missing the len = 0; before sscanf()
all asterisk versions are affected
was:
I've got from a bugy MTA a chunked message:
200 61838464 OK
I: 11B72
v=0
o=- 61838464 72562 IN IP4 10.252.5.203
s=-
c=IN IP4 10.252.5.203
b=AS:82
t=0 0
m=audio 53
asterisk crashed, when parsed the m line
#0 0x0000003f85478d50 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1 0x00002aaab9a82e12 in process_sdp (sub=0x2aaaac4a3c10, req=0x40cf9010)
at chan_mgcp.c:2477
__old = 0x40cfbf61 ""
__len = <value optimized out>
__new = <value optimized out>
m = 0x40cf94b7 "audio 53"
c = <value optimized out>
a = <value optimized out>
host = "10.252.5.203", '\0' <repeats 245 times>
len = 10922
portno = 53
peercapability = <value optimized out>
peerNonCodecCapability = <value optimized out>
sin = {sin_family = 2, sin_port = 13568, sin_addr = {
it occured:
if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1) {
the len is unitialized no, the %30d initialized, return value will be 1, but the sscanf() never reach the %n position
fix:
len = 0;
if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1 || !len) {
ast_log(LOG_WARNING, "Unable to determine port number or codecs for RTP in '%s'\n", m);
return -1;
}
in another usege not needed:
if (sscanf(codecs, "%30d%n", &codec, &len) != 1) {
if return 1 here, the sscanf always will reach the %n positions
The sip channel driver is effected too many places
in chan_sip.c:
if ((media == SDP_AUDIO && ((sscanf(m, "audio %30u/%30u RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0)
the len value is checked, but missing the len = 0; before sscanf()
all asterisk versions are affected
> chan_mgcp crash on chunked m= sdp line
> --------------------------------------
>
> Key: ASTERISK-21190
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21190
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_mgcp
> Affects Versions: 11.2.1
> Environment: FC 18
> Reporter: adomjan
> Severity: Critical
> Attachments: chan_mgcp.c-sscnaf_fix
>
>
> I've got from a bugy MTA a chunked message:
> {noformat}
> 200 61838464 OK
> I: 11B72
> v=0
> o=- 61838464 72562 IN IP4 10.252.5.203
> s=-
> c=IN IP4 10.252.5.203
> b=AS:82
> t=0 0
> m=audio 53
> {noformat}
> asterisk crashed, when parsed the m line
> {noformat}
> #0 0x0000003f85478d50 in strlen () from /lib64/libc.so.6
> No symbol table info available.
> #1 0x00002aaab9a82e12 in process_sdp (sub=0x2aaaac4a3c10, req=0x40cf9010)
> at chan_mgcp.c:2477
> __old = 0x40cfbf61 ""
> __len = <value optimized out>
> __new = <value optimized out>
> m = 0x40cf94b7 "audio 53"
> c = <value optimized out>
> a = <value optimized out>
> host = "10.252.5.203", '\0' <repeats 245 times>
> len = 10922
> portno = 53
> peercapability = <value optimized out>
> peerNonCodecCapability = <value optimized out>
> sin = {sin_family = 2, sin_port = 13568, sin_addr = {
> {noformat}
> it occured:
> {noformat}
> if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1) {
> {noformat}
> the len is unitialized no, the %30d initialized, return value will be 1, but the sscanf() never reach the %n position
> fix:
> {noformat}
> len = 0;
> if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1 || !len) {
> ast_log(LOG_WARNING, "Unable to determine port number or codecs for RTP in '%s'\n", m);
> return -1;
> }
> {noformat}
> in another usege not needed:
> {noformat}
> if (sscanf(codecs, "%30d%n", &codec, &len) != 1) {
> {noformat}
> if return 1 here, the sscanf always will reach the %n positions
> The sip channel driver is effected too many places
> in chan_sip.c:
> {noformat}
> if ((media == SDP_AUDIO && ((sscanf(m, "audio %30u/%30u RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0)
> {noformat}
> the len value is checked, but missing the len = 0; before sscanf()
> all asterisk versions are affected
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list