#2092 closed defect (fixed)
Crash when receiving SDP with invalid fmtp attribute
Reported by: | ming | Owned by: | nanang |
---|---|---|---|
Priority: | critical | Milestone: | release-2.8 |
Component: | pjmedia | Version: | trunk |
Keywords: | Cc: | ||
Backport to 1.x milestone: | Backported: | no |
Description (last modified by ming)
Receiving an SDP message body with an invalid fmtp attribute will cause a segmentation fault.
The following SIP message was used to reproduce the issue:
INVITE sip:5678@127.0.0.1:5060 SIP/2.0 To: <sip:5678@127.0.0.1:5060> From: Test <sip:5678@127.0.0.1:5060> Call-ID: adc9caea-2d0a-40af-9de5-1dd21387e03a CSeq: 2 INVITE Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bKadc9caea-2d0a-40af-9de5-1dd21387e03a Contact: <sip:5678@172.17.0.1> Content-Type: application/sdp Content-Length: 228 v=0 o=- 1061502179 1061502179 IN IP4 172.17.0.1 c=IN IP4 172.17.0.1 t=0 0 m=audio 17000 RTP/AVP 9 0 101 a=rtpmap:8 alaw/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp\x00:101 0-16 a=sendrecv
Notes:
- \x00 should be replaced by the null character
GDB backtrace result:
Thread 197 received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff65e57700 (LWP 10595)] pjmedia_sdp_attr_get_fmtp (attr=<optimized out>, fmtp=fmtp@entry=0x7fff65e56430) at ../src/pjmedia/sdp.c:350 350 while (pj_isdigit(*p) && p!=end) (gdb) bt #0 pjmedia_sdp_attr_get_fmtp (attr=<optimized out>, fmtp=fmtp@entry=0x7fff65e56430) at ../src/pjmedia/sdp.c:350
Thanks to Alfred Farrugia and Sandro Gauci from Enable Security for the finding and Kevin Harwell from Digium for the report.
CVE ID: CVE-2018-1000099
Change History (3)
comment:1 Changed 7 years ago by ming
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 7 years ago by ming
- Priority changed from normal to critical
comment:3 Changed 7 years ago by ming
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.
In 5740: