#505: Segfault with malformed rtcp packet (Open)

Back to ticket list | See last change
Aug 25 2009 * 12:34
Reported by: Release: 1.2
Priority: Critical Milestone: 1.2.1
Component: SIP Assigned to:
Attachment: rtp.c.diff  [application/octet-stream]

Hi,

I’m using the current release (1.2.1) of Callweaver and these days we had several segfaults due to malformed rtcp packets. The segfault was systematic with each buggy packet.

The problem is in corelib/rtp.c , there is not enough control with provided block length. With buggy packets (could be a DoS attack) the length value could be over 10000 (more than 10 times too big).

I’ve made a patch to correct it (attached file)

The patch ignores wrong block but not whole packet. The beginning of the packet is parsed and this permits to see in debug mode partial information about jitter and rtp packet loss because the support of rtcp is not full in callweaver.

I’ve tested the patch for 1 week in production without any issue.

Don’t hesitate to give me feedback about any issue with the patch.

Changelog:

Modified by Aug 25 2009 * 15:06
  • Release: set to 1.2
  • Milestone: set to 1.2.1
Modified by Aug 28 2009 * 12:02
  • Priority: changed from Major to Critical
Modified by Oct 14 2009 * 13:52
  • Milestone: changed from 1.2.1 to Generic future releases

Hi,

I’ve seen the same problem on trunk, the patch would also work on it.

I’m surprised this patch isn’t included in source code.

For information, the patch included with the first post is running on some systems for 2 months without any problem.

It’s seems important to me to mention this could be used in DoS attacks.

Regards

Eric

Modified by Jan 06 2010 * 16:28
  • Assigned user: set to mjagdis
  • Milestone: changed from Generic future releases to 1.2.1
Modified by Feb 22 2010 * 15:03
  • Component: changed from core to SIP
  • Assigned user: reset (from mjagdis)
Modified by Feb 22 2010 * 15:04

This patch works perfectly for more than 4 month in production on several servers without any issue.