Summary: | ASTERISK-27488: core: If frame with unnegotiated format is read crash will occur | ||||||
Reporter: | Sébastien Duthil (sduthil) | Labels: | fax patch | ||||
Date Opened: | 2017-12-18 14:46:29.000-0600 | Date Closed: | 2018-02-21 10:40:03.000-0600 | ||||
Priority: | Minor | Regression? | |||||
Status: | Closed/Complete | Components: | Core/Streams | ||||
Versions: | 15.0.0 15.1.0 15.1.1 15.1.2 15.1.3 | Frequency of Occurrence | |||||
Related Issues: |
| ||||||
Environment: | Debian 8 Jessie, Asterisk 15.1.3, Cisco SPA 122 | Attachments: | ( 0) AST-2018-001.pdf ( 1) ASTERISK-27488_testsuite.diff ( 2) c9d6bfc.diff ( 3) full.log ( 4) gdb-bt-thread1.txt ( 5) rtp.pcapng | ||||
Description: | Given the following setup:
Fax -> Cisco analog gateway -> SIP -> Asterisk Given the Cisco analog gateway is configured with Fax Passthru = NSE (sends a NSE RTP packet upon fax detection) Given faxes are handled with the application ReceiveFax When I receive a fax from the gateway (in the logs: exten 106 sends a fax to exten 945) Then Asterisk crashes with segfault Note that in the exact same environment, if I change _only_ this setting on the gateway Fax Passthru = ReINVITE (i.e. no special RTP packet is sent, but a SIP packet instead), and receive another fax then Asterisk does not crash. Analyzing the core dump, I see: {noformat} #1 0x080f41c7 in __ast_read (chan=0xb9cf1d4, dropaudio=0, dropnondefault=1) at channel.c:3703 (gdb) p f->subclass.format.name $3 = 0x827290e "vp8" (gdb) p f->subclass.format->codec.name $4 = 0x827290e "vp8" (gdb) p f->subclass.format->codec.description $5 = 0x8272912 "VP8 video" (gdb) p f->frametype $6 = AST_FRAME_VIDEO (gdb) p chan->default_streams $7 = {0x0, 0xb647670, 0x0, 0x0, 0x0} {noformat} The network capture shows the NSE RTP packet at number 41. | ||||||
Comments: | By: Asterisk Team (asteriskteam) 2017-12-18 14:46:30.595-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Sébastien Duthil (sduthil) 2017-12-18 14:50:34.895-0600 I note that this bug is very similar to this bug report: ASTERISK-27364 By: Kevin Harwell (kharwell) 2018-01-08 10:37:53.654-0600 It's possible this issue is the same or related to ASTERISK-27364. That issue has been fixed, but has not been released yet (it will be released in 15.2.0). Could you please try the patch ([ASTERISK-27364.diff|https://issues.asterisk.org/jira/secure/attachment/56146/ASTERISK-27364.diff]) attached on that issue and see if it fixes the problem. Thanks! By: Kevin Harwell (kharwell) 2018-01-08 17:53:01.020-0600 This issue is not related to ASTERISK-27364. By: Kevin Harwell (kharwell) 2018-01-08 17:54:12.567-0600 I have duplicated this issue using the attached Asterisk testsuite test [^ASTERISK-27488_testsuite.diff]. By: Joshua C. Colp (jcolp) 2018-01-23 08:25:40.437-0600 I'm attaching the security vulnerability document and a patch which resolves the issue. I do not have a timeframe yet on a release but will update this issue once I have a date. By: Sébastien Duthil (sduthil) 2018-01-23 13:32:45.918-0600 Great! Thank you! By: Friendly Automation (friendly-automation) 2018-02-21 10:40:05.679-0600 Change 8312 merged by Joshua Colp: AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up. [https://gerrit.asterisk.org/8312|https://gerrit.asterisk.org/8312] By: Friendly Automation (friendly-automation) 2018-02-21 10:40:16.012-0600 Change 8313 merged by Joshua Colp: AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up. [https://gerrit.asterisk.org/8313|https://gerrit.asterisk.org/8313] By: Friendly Automation (friendly-automation) 2018-02-21 10:40:24.826-0600 Change 8314 merged by Joshua Colp: AST-2018-001: rtp / channel: Don't allow an unnegotiated format to be passed up. [https://gerrit.asterisk.org/8314|https://gerrit.asterisk.org/8314] |