Summary:ASTERISK-27488: core: If frame with unnegotiated format is read crash will occur
Reporter:Sébastien Duthil (sduthil)Labels:fax patch
Date Opened:2017-12-18 14:46:29.000-0600Date Closed:2018-02-21 10:40:03.000-0600
Versions:15.0.0 15.1.0 15.1.1 15.1.2 15.1.3 Frequency of
is duplicated byASTERISK-27672 MixMonitor Audiohook SIGSEGV under Load
is related toASTERISK-27463 Asterisk fails randomly
Environment:Debian 8 Jessie, Asterisk 15.1.3, Cisco SPA 122Attachments:( 0) AST-2018-001.pdf
( 1) ASTERISK-27488_testsuite.diff
( 2) c9d6bfc.diff
( 3) full.log
( 4) gdb-bt-thread1.txt
( 5) rtp.pcapng
Description:Given the following setup:

Fax -> Cisco analog gateway -> SIP -> Asterisk

Given the Cisco analog gateway is configured with Fax Passthru = NSE (sends a NSE RTP packet upon fax detection)
Given faxes are handled with the application ReceiveFax
When I receive a fax from the gateway (in the logs: exten 106 sends a fax to exten 945)
Then Asterisk crashes with segfault

Note that in the exact same environment, if I change _only_ this setting on the gateway Fax Passthru = ReINVITE (i.e. no special RTP packet is sent, but a SIP packet instead), and receive another fax then Asterisk does not crash.

Analyzing the core dump, I see:

#1  0x080f41c7 in __ast_read (chan=0xb9cf1d4, dropaudio=0, dropnondefault=1) at channel.c:3703
(gdb) p f->subclass.format.name              
$3 = 0x827290e "vp8"                        
(gdb) p f->subclass.format->codec.name      
$4 = 0x827290e "vp8"                        
(gdb) p f->subclass.format->codec.description
$5 = 0x8272912 "VP8 video"                  
(gdb) p f->frametype                        
$6 = AST_FRAME_VIDEO                        
(gdb) p chan->default_streams                
$7 = {0x0, 0xb647670, 0x0, 0x0, 0x0}        

The network capture shows the NSE RTP packet at number 41.
Comments:By: Asterisk Team (asteriskteam) 2017-12-18 14:46:30.595-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Sébastien Duthil (sduthil) 2017-12-18 14:50:34.895-0600

I note that this bug is very similar to this bug report: ASTERISK-27364

By: Kevin Harwell (kharwell) 2018-01-08 10:37:53.654-0600

It's possible this issue is the same or related to ASTERISK-27364. That issue has been fixed, but has not been released yet (it will be released in 15.2.0). Could you please try the patch ([ASTERISK-27364.diff|https://issues.asterisk.org/jira/secure/attachment/56146/ASTERISK-27364.diff]) attached on that issue and see if it fixes the problem. Thanks!

By: Kevin Harwell (kharwell) 2018-01-08 17:53:01.020-0600

This issue is not related to ASTERISK-27364.

By: Kevin Harwell (kharwell) 2018-01-08 17:54:12.567-0600

I have duplicated this issue using the attached Asterisk testsuite test [^ASTERISK-27488_testsuite.diff].

By: Joshua C. Colp (jcolp) 2018-01-23 08:25:40.437-0600

I'm attaching the security vulnerability document and a patch which resolves the issue. I do not have a timeframe yet on a release but will update this issue once I have a date.

By: Sébastien Duthil (sduthil) 2018-01-23 13:32:45.918-0600

Great! Thank you!

By: Friendly Automation (friendly-automation) 2018-02-21 10:40:05.679-0600

Change 8312 merged by Joshua Colp:
AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up.


By: Friendly Automation (friendly-automation) 2018-02-21 10:40:16.012-0600

Change 8313 merged by Joshua Colp:
AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up.


By: Friendly Automation (friendly-automation) 2018-02-21 10:40:24.826-0600

Change 8314 merged by Joshua Colp:
AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up.