Ticket #2092 (closed defect: fixed)

Opened 5 months ago

Last modified 5 months ago

Crash when receiving SDP with invalid fmtp attribute

Reported by: ming Owned by: nanang
Priority: critical Milestone: release-2.8
Component: pjmedia Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description (last modified by ming) (diff)

Receiving an SDP message body with an invalid fmtp attribute will cause a segmentation fault.

The following SIP message was used to reproduce the issue:

INVITE sip:5678@127.0.0.1:5060 SIP/2.0
To: <sip:5678@127.0.0.1:5060>
From: Test <sip:5678@127.0.0.1:5060>
Call-ID: adc9caea-2d0a-40af-9de5-1dd21387e03a
CSeq: 2 INVITE
Via: SIP/2.0/UDP 172.17.0.1:10394;branch=z9hG4bKadc9caea-2d0a-40af-9de5-1dd21387e03a
Contact: <sip:5678@172.17.0.1>
Content-Type: application/sdp
Content-Length: 228

v=0
o=- 1061502179 1061502179 IN IP4 172.17.0.1
c=IN IP4 172.17.0.1
t=0 0
m=audio 17000 RTP/AVP 9 0 101
a=rtpmap:8 alaw/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp\x00:101 0-16
a=sendrecv

Notes:

  • \x00 should be replaced by the null character

GDB backtrace result:

Thread 197 received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff65e57700 (LWP 10595)]
pjmedia_sdp_attr_get_fmtp (attr=<optimized out>, fmtp=fmtp@entry=0x7fff65e56430) at ../src/pjmedia/sdp.c:350
350	    while (pj_isdigit(*p) && p!=end)
(gdb) bt
#0  pjmedia_sdp_attr_get_fmtp (attr=<optimized out>, fmtp=fmtp@entry=0x7fff65e56430) at ../src/pjmedia/sdp.c:350

Thanks to Alfred Farrugia and Sandro Gauci from Enable Security for the finding and Kevin Harwell from Digium for the report.

CVE ID: CVE-2018-1000099

Change History

comment:1 Changed 5 months ago by ming

  • Status changed from new to closed
  • Resolution set to fixed

In 5740:

Fixed #2092: Crash when receiving SDP with invalid fmtp attribute

comment:2 Changed 5 months ago by ming

  • Priority changed from normal to critical

comment:3 Changed 5 months ago by ming

  • Description modified (diff)
Note: See TracTickets for help on using tickets.