<p>George Joseph has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/16205">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2021-008 - chan_iax2: remote crash on unsupported media format<br><br>If chan_iax2 received a packet with an unsupported media format, for<br>example vp9, then it would set the frame's format to NULL. This could<br>then result in a crash later when an attempt was made to access the<br>format.<br><br>This patch makes it so chan_iax2 now ignores/drops frames received<br>with unsupported media format types.<br><br>ASTERISK-29392 #close<br><br>Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1<br>---<br>M channels/chan_iax2.c<br>1 file changed, 31 insertions(+), 9 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/05/16205/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c</span><br><span>index db4bef3..a9da65b 100644</span><br><span>--- a/channels/chan_iax2.c</span><br><span>+++ b/channels/chan_iax2.c</span><br><span>@@ -4132,6 +4132,7 @@</span><br><span> long ms;</span><br><span> long next;</span><br><span> struct timeval now = ast_tvnow();</span><br><span style="color: hsl(120, 100%, 40%);">+ struct ast_format *voicefmt;</span><br><span> </span><br><span> /* Make sure we have a valid private structure before going on */</span><br><span> ast_mutex_lock(&iaxsl[callno]);</span><br><span>@@ -4151,10 +4152,9 @@</span><br><span> </span><br><span> ms = ast_tvdiff_ms(now, pvt->rxcore);</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if(ms >= (next = jb_next(pvt->jb))) {</span><br><span style="color: hsl(0, 100%, 40%);">- struct ast_format *voicefmt;</span><br><span style="color: hsl(0, 100%, 40%);">- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);</span><br><span style="color: hsl(0, 100%, 40%);">- ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);</span><br><span style="color: hsl(120, 100%, 40%);">+ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (voicefmt && ms >= (next = jb_next(pvt->jb))) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));</span><br><span> switch(ret) {</span><br><span> case JB_OK:</span><br><span> fr = frame.data;</span><br><span>@@ -4182,7 +4182,7 @@</span><br><span> pvt = iaxs[callno];</span><br><span> }</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- break;</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span> case JB_DROP:</span><br><span> iax2_frame_free(frame.data);</span><br><span> break;</span><br><span>@@ -6442,8 +6442,14 @@</span><br><span> f->frametype = fh->type;</span><br><span> if (f->frametype == AST_FRAME_VIDEO) {</span><br><span> f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!f->subclass.format) {</span><br><span style="color: hsl(120, 100%, 40%);">+ f->subclass.format = ast_format_none;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> } else if (f->frametype == AST_FRAME_VOICE) {</span><br><span> f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!f->subclass.format) {</span><br><span style="color: hsl(120, 100%, 40%);">+ f->subclass.format = ast_format_none;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> } else {</span><br><span> f->subclass.integer = uncompress_subclass(fh->csub);</span><br><span> }</span><br><span>@@ -9915,8 +9921,8 @@</span><br><span> } else if (iaxs[fr->callno]->voiceformat == 0) {</span><br><span> ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");</span><br><span> iax2_vnak(fr->callno);</span><br><span style="color: hsl(0, 100%, 40%);">- } else {</span><br><span style="color: hsl(0, 100%, 40%);">- f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(</span><br><span style="color: hsl(120, 100%, 40%);">+ iaxs[fr->callno]->voiceformat))) {</span><br><span> f.datalen = len;</span><br><span> if (f.datalen >= 0) {</span><br><span> if (f.datalen)</span><br><span>@@ -10159,11 +10165,17 @@</span><br><span> f.frametype = fh->type;</span><br><span> if (f.frametype == AST_FRAME_VIDEO) {</span><br><span> f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!f.subclass.format) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> if ((fh->csub >> 6) & 0x1) {</span><br><span> f.subclass.frame_ending = 1;</span><br><span> }</span><br><span> } else if (f.frametype == AST_FRAME_VOICE) {</span><br><span> f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!f.subclass.format) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> } else {</span><br><span> f.subclass.integer = uncompress_subclass(fh->csub);</span><br><span> }</span><br><span>@@ -11781,6 +11793,11 @@</span><br><span> f.subclass.frame_ending = 1;</span><br><span> }</span><br><span> f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!f.subclass.format) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_variables_destroy(ies.vars);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_mutex_unlock(&iaxsl[fr->callno]);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> } else {</span><br><span> ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");</span><br><span> iax2_vnak(fr->callno);</span><br><span>@@ -11802,9 +11819,14 @@</span><br><span> } else {</span><br><span> /* A mini frame */</span><br><span> f.frametype = AST_FRAME_VOICE;</span><br><span style="color: hsl(0, 100%, 40%);">- if (iaxs[fr->callno]->voiceformat > 0)</span><br><span style="color: hsl(120, 100%, 40%);">+ if (iaxs[fr->callno]->voiceformat > 0) {</span><br><span> f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);</span><br><span style="color: hsl(0, 100%, 40%);">- else {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!f.subclass.format) {</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_variables_destroy(ies.vars);</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_mutex_unlock(&iaxsl[fr->callno]);</span><br><span style="color: hsl(120, 100%, 40%);">+ return 1;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span> ast_debug(1, "Received mini frame before first full voice frame\n");</span><br><span> iax2_vnak(fr->callno);</span><br><span> ast_variables_destroy(ies.vars);</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/16205">change 16205</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/16205"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 17.9 </div>
<div style="display:none"> Gerrit-Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1 </div>
<div style="display:none"> Gerrit-Change-Number: 16205 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>