[asterisk-bugs] [JIRA] (ASTERISK-28076) bridging: Asterisk crashes when receiving an empty realtime text frame
Corey Farrell (JIRA)
noreply at issues.asterisk.org
Fri Sep 28 06:27:54 CDT 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-28076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=244990#comment-244990 ]
Corey Farrell commented on ASTERISK-28076:
------------------------------------------
Could this issue be fixed from ast_frdup? It currently sets {{out->data.ptr}} only {{if (out->datalen)}}, otherwise it sets {{out->data.uint32}}. out->data is a union so this is modifying out->data.ptr as well. Maybe this should initialize the pointer {{if (out->datalen || out->frametype == AST_FRAME_TEXT)}}? I think it would be better to ensure that {{struct ast_frame}} is valid instead of trying to ignore invalid structures where. I have not tested this suggested change but wanted to make sure this is considered. I also have not checked if other frame types also use out->data.ptr with a potentially zero out->datalen.
I just did a crude scan of asterisk using {{git grep \-e '\->datalen' \-\-and \-e '\->data\.ptr'|wc \-l}} - 101 lines in master which in theory could be at risk.
> bridging: Asterisk crashes when receiving an empty realtime text frame
> ----------------------------------------------------------------------
>
> Key: ASTERISK-28076
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28076
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Core/Bridging
> Affects Versions: 13.22.0
> Environment: CentOS 7 but this bug is OS independend
> Reporter: Emmanuel BUU
> Assignee: Unassigned
> Severity: Minor
>
> When receiving an RTP packet containing an empty redundant realtime text frame, asterisk 13.22.0 crashes.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list