[asterisk-bugs] [JIRA] (ASTERISK-28076) bridging: Asterisk crashes when receiving an empty realtime text frame
Emmanuel BUU (JIRA)
noreply at issues.asterisk.org
Fri Sep 28 03:17:54 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-28076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=244989#comment-244989 ]
Emmanuel BUU commented on ASTERISK-28076:
-----------------------------------------
It will take a bit of time. In the meantime, here is an explanation:
1- the frame text frame has fr->datalen set to 0.
2- it is passed to ast_bridge_channel_queue_frame()
3- inside the ast_bridge_channel_queue_frame() function, it is cloned
dup = ast_frdup(fr);
the result is a duplicated frame with datalen set to 0 and an invalid fr->data.ptr pointer.
4- later, the function bridge_channel_handle_write() with the duplicated frame as an argument
There are two lines where the invalid pointer can corrupt memory / cause a crash
the call to ast_debug()
inside the ast_sendtext()
case AST_FRAME_TEXT:
ast_debug(1, "Sending TEXT frame to '%s': %*.s\n",
ast_channel_name(bridge_channel->chan), fr->datalen, (char *)fr->data.ptr);
ast_sendtext(bridge_channel->chan, fr->data.ptr);
> bridging: Asterisk crashes when receiving an empty realtime text frame
> ----------------------------------------------------------------------
>
> Key: ASTERISK-28076
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28076
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/Bridging
> Affects Versions: 13.22.0
> Environment: CentOS 7 but this bug is OS independend
> Reporter: Emmanuel BUU
> Assignee: Emmanuel BUU
> Severity: Minor
>
> When receiving an RTP packet containing an empty redundant realtime text frame, asterisk 13.22.0 crashes.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list