Summary:ASTERISK-21190: chan_mgcp crash on chunked m= sdp line
Reporter:adomjan (adomjan)Labels:
Date Opened:2013-02-28 06:16:42.000-0600Date Closed:2013-10-23 10:25:01
Versions:11.2.1 Frequency of
One Time
Environment:FC 18Attachments:( 0) chan_mgcp.c-sscnaf_fix
Description:I've got from a bugy MTA a chunked message:

200 61838464 OK
I: 11B72

o=- 61838464 72562 IN IP4
c=IN IP4
t=0 0
m=audio 53

asterisk crashed, when parsed the m line

#0  0x0000003f85478d50 in strlen () from /lib64/libc.so.6
No symbol table info available.
#1  0x00002aaab9a82e12 in process_sdp (sub=0x2aaaac4a3c10, req=0x40cf9010)
   at chan_mgcp.c:2477
__old = 0x40cfbf61 ""
__len = <value optimized out>
__new = <value optimized out>
m = 0x40cf94b7 "audio 53"
c = <value optimized out>
a = <value optimized out>
host = "", '\0' <repeats 245 times>
len = 10922
portno = 53
peercapability = <value optimized out>
peerNonCodecCapability = <value optimized out>
sin = {sin_family = 2, sin_port = 13568, sin_addr = {

it occured:

if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1) {

the len is unitialized no, the %30d initialized, return value will be 1, but the sscanf() never reach the %n position

len = 0;
       if (sscanf(m, "audio %30d RTP/AVP %n", &portno, &len) != 1 || !len) {
               ast_log(LOG_WARNING, "Unable to determine port number or codecs for RTP in '%s'\n", m);
               return -1;

in another usege not needed:
if (sscanf(codecs, "%30d%n", &codec, &len) != 1) {

if return 1 here, the sscanf always will reach the %n positions

The sip channel driver is effected too many places
in chan_sip.c:
if ((media == SDP_AUDIO && ((sscanf(m, "audio %30u/%30u RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0)

the len value is checked, but missing the len = 0; before sscanf()

all asterisk versions are affected
Comments:By: Rusty Newton (rnewton) 2013-03-01 09:31:50.006-0600

Thanks for the patch! Since chan_mgcp is extended support and supported by the community (and I don't think we have a current official chan_mgcp maintainer) response times will reflect that. If you need this merged in soon you can always ask someone on the asterisk-dev list or in the #asterisk-dev chat to see if they want to review, test and push it through.

By: Kinsey Moore (kmoore) 2013-10-23 10:19:44.548-0500

It appears that this does not affect chan_sip since it already accounts for length not being set properly. This will be going into 1.8, 11, 12, and trunk shortly.