Opened 8 years ago

Closed 8 years ago

#1456 closed defect (fixed)

Crash on SRTP unprotect after SRTP restarted on replay error (thanks Dan Arrhenius for the report)

Reported by: nanang Owned by: nanang
Priority: normal Milestone: release-1.14
Component: pjmedia Version: 1.x-branch
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description

Scenario reported:

  1. A packet arrives and srtp_rtp_cb() is called.
  2. srtp_unprotect() returns replay error, triggering pjmedia_transport_srtp_start(). The problem starts from here as internal SRTP states tx_policy and rx_policy is used directly in pjmedia_transport_srtp_start() call param.
  3. pjmedia_transport_srtp_start() first invokes pjmedia_transport_srtp_stop(), which nullifies the above tx_policy and rx_policy.
  4. things start going wrong (invalid SRTP and libSRTP states/contexts generated).
  5. pjmedia_transport_srtp_start() returns PJ_SUCCESS, triggering another srtp_unprotect() call which expectedly leading to a crash!

Change History (1)

comment:1 Changed 8 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

(In [3961]) Fix #1456: don't use SRTP internal state (tx_policy/rx_policy) directly for calling pjmedia_transport_srtp_start() in restarting SRTP after getting replay error.

Note: See TracTickets for help on using tickets.