[Asterisk-code-review] AST-2021-008 - chan_iax2: remote crash on unsupported media format (asterisk[17.9])
George Joseph
asteriskteam at digium.com
Thu Jul 22 15:17:55 CDT 2021
George Joseph has submitted this change. ( https://gerrit.asterisk.org/c/asterisk/+/16205 )
Change subject: AST-2021-008 - chan_iax2: remote crash on unsupported media format
......................................................................
AST-2021-008 - chan_iax2: remote crash on unsupported media format
If chan_iax2 received a packet with an unsupported media format, for
example vp9, then it would set the frame's format to NULL. This could
then result in a crash later when an attempt was made to access the
format.
This patch makes it so chan_iax2 now ignores/drops frames received
with unsupported media format types.
ASTERISK-29392 #close
Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
---
M channels/chan_iax2.c
1 file changed, 31 insertions(+), 9 deletions(-)
Approvals:
George Joseph: Looks good to me, approved; Approved for Submit
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index db4bef3..a9da65b 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -4132,6 +4132,7 @@
long ms;
long next;
struct timeval now = ast_tvnow();
+ struct ast_format *voicefmt;
/* Make sure we have a valid private structure before going on */
ast_mutex_lock(&iaxsl[callno]);
@@ -4151,10 +4152,9 @@
ms = ast_tvdiff_ms(now, pvt->rxcore);
- if(ms >= (next = jb_next(pvt->jb))) {
- struct ast_format *voicefmt;
- voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
- ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
+ voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
+ if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
+ ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
switch(ret) {
case JB_OK:
fr = frame.data;
@@ -4182,7 +4182,7 @@
pvt = iaxs[callno];
}
}
- break;
+ break;
case JB_DROP:
iax2_frame_free(frame.data);
break;
@@ -6442,8 +6442,14 @@
f->frametype = fh->type;
if (f->frametype == AST_FRAME_VIDEO) {
f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
+ if (!f->subclass.format) {
+ f->subclass.format = ast_format_none;
+ }
} else if (f->frametype == AST_FRAME_VOICE) {
f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
+ if (!f->subclass.format) {
+ f->subclass.format = ast_format_none;
+ }
} else {
f->subclass.integer = uncompress_subclass(fh->csub);
}
@@ -9915,8 +9921,8 @@
} else if (iaxs[fr->callno]->voiceformat == 0) {
ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
iax2_vnak(fr->callno);
- } else {
- f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
+ } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
+ iaxs[fr->callno]->voiceformat))) {
f.datalen = len;
if (f.datalen >= 0) {
if (f.datalen)
@@ -10159,11 +10165,17 @@
f.frametype = fh->type;
if (f.frametype == AST_FRAME_VIDEO) {
f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
+ if (!f.subclass.format) {
+ return 1;
+ }
if ((fh->csub >> 6) & 0x1) {
f.subclass.frame_ending = 1;
}
} else if (f.frametype == AST_FRAME_VOICE) {
f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
+ if (!f.subclass.format) {
+ return 1;
+ }
} else {
f.subclass.integer = uncompress_subclass(fh->csub);
}
@@ -11781,6 +11793,11 @@
f.subclass.frame_ending = 1;
}
f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
+ if (!f.subclass.format) {
+ ast_variables_destroy(ies.vars);
+ ast_mutex_unlock(&iaxsl[fr->callno]);
+ return 1;
+ }
} else {
ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
iax2_vnak(fr->callno);
@@ -11802,9 +11819,14 @@
} else {
/* A mini frame */
f.frametype = AST_FRAME_VOICE;
- if (iaxs[fr->callno]->voiceformat > 0)
+ if (iaxs[fr->callno]->voiceformat > 0) {
f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
- else {
+ if (!f.subclass.format) {
+ ast_variables_destroy(ies.vars);
+ ast_mutex_unlock(&iaxsl[fr->callno]);
+ return 1;
+ }
+ } else {
ast_debug(1, "Received mini frame before first full voice frame\n");
iax2_vnak(fr->callno);
ast_variables_destroy(ies.vars);
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/16205
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 17.9
Gerrit-Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
Gerrit-Change-Number: 16205
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Friendly Automation
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20210722/18412160/attachment-0001.html>
More information about the asterisk-code-review
mailing list