| Summary: | ASTERISK-01023: Serious bug in 'ast_rtp_raw_write' | ||
| Reporter: | mman (mman) | Labels: | |
| Date Opened: | 2004-02-11 08:55:16.000-0600 | Date Closed: | 2008-01-15 14:43:45.000-0600 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | 'ast_rtp_raw_write', line 959: ... /* Get a pointer to the header */ rtpheader = (unsigned int *)(f->data - hdrlen); ... This line causes serious memory corruption which is untraceable and may cause random segfaults (for frames that do not provide additional space for headers). | ||
| Comments: | By: mman (mman) 2004-02-11 09:03:06.000-0600 The fix should be trivial. Just check f->offset before trying to invade into unknown memory regions. By: Mark Spencer (markster) 2004-02-11 12:55:33.000-0600 Do you have any indication that this bug has actually caused any segfaults? Can you cause it to break, for example, under valgrind, under any testing condition? By: Mark Spencer (markster) 2004-02-11 12:59:45.000-0600 Actually I just looked and ast_rtp_raw_write is only called by ast_rtp_write, which should not allow a frame to be called with an invalid offset (since it is either generated in the smoother or it is specifically checked). If you have a corner case or can show it happening (e.g. under valgrind) just reopen this bug. By: mman (mman) 2004-02-16 04:40:06.000-0600 Well, the smoother is not so "clever" to fix optimized frames. You may reproduce the bug by writing optimized frames of alaw, ulaw, g729, gsm or ilbc. By: Mark Spencer (markster) 2004-02-16 10:18:35.000-0600 Okay easy enough. I assume there is still no place this ever actually happens, still? No audio source in Asterisk should send audio without including some offset, otherwise it breaks zero-copy routines. So, if there is a source which is generating them without offset, that definitely needs to be fixed. By: Digium Subversion (svnbot) 2008-01-15 14:43:44.000-0600 Repository: asterisk Revision: 2183 U branches/v1-0_stable/frame.c U branches/v1-0_stable/include/asterisk/frame.h ------------------------------------------------------------------------ r2183 | markster | 2008-01-15 14:43:43 -0600 (Tue, 15 Jan 2008) | 2 lines Make sure smoother always generates frames with offset (bug ASTERISK-1023) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=2183 By: Digium Subversion (svnbot) 2008-01-15 14:43:45.000-0600 Repository: asterisk Revision: 2184 U trunk/frame.c U trunk/include/asterisk/frame.h ------------------------------------------------------------------------ r2184 | markster | 2008-01-15 14:43:44 -0600 (Tue, 15 Jan 2008) | 2 lines Make sure smoother only creates frames with offsets (bug ASTERISK-1023) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=2184 | ||