![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
#2093 closed defect (fixed)
Crash when parsing SDP with an invalid media format description
| Reported by: | ming | Owned by: | nanang |
|---|---|---|---|
| Priority: | critical | Milestone: | release-2.8 |
| Component: | pjmedia | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: | no |
Description (last modified by ming)
Receiving an SDP message body with an invalid media format description causes a segmentation fault.
The problematic SDP section is:
m=audio 17000 RTP/AVP 4294967296
GDB backtrace result:
Thread 26 received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff0297700 (LWP 45)] __longjmp_chk (env=env@entry=0x0, val=val@entry=1) at ../setjmp/longjmp.c:32 32 ../setjmp/longjmp.c: No such file or directory. (gdb) bt #0 __longjmp_chk (env=env@entry=0x0, val=val@entry=1) at ../setjmp/longjmp.c:32 #1 0x00007ffff78ed4ae in pj_throw_exception_ (exception_id=1) at ../src/pj/except.c:54 #2 0x00007ffff7868070 in pool_callback (pool=<optimized out>, size=<optimized out>) at ../src/pjsip/sip_endpoint.c:143 #3 0x00007ffff78f1a93 in pj_pool_create_block (size=1407375809856000, pool=0x7fff8c002c90) at ../src/pj/pool.c:63 #4 pj_pool_allocate_find (pool=0x7fff8c002c90, size=1407375809852724) at ../src/pj/pool.c:138 #5 0x00007ffff78fbb75 in pj_strdup (pool=pool@entry=0x7fff8c002c90, dst=dst@entry=0x7fff8c027638, src=src@entry=0x7fff8c025638) at ../include/pj/string_i.h:41 #6 0x00007ffff78b287e in pjmedia_sdp_media_clone (pool=pool@entry=0x7fff8c002c90, rhs=0x7fff8c025608) at ../src/pjmedia/sdp.c:691 #7 0x00007ffff78b4069 in pjmedia_sdp_session_clone (pool=pool@entry=0x7fff8c002c90, rhs=0x7fff8c01cdb8) at ../src/pjmedia/sdp.c:1422 #8 0x00007ffff7847f31 in create_sdp_body (c_sdp=<optimized out>, pool=0x7fff8c002c90) at ../src/pjsip-ua/sip_inv.c:1722 #9 process_answer (inv=inv@entry=0x7fff8c009f28, st_code=st_code@entry=200, local_sdp=local_sdp@entry=0x0, tdata=0x7fff8c002d38, tdata=0x7fff8c002d38) at ../src/pjsip-ua/sip_inv.c:2257 #10 0x00007ffff7848681 in pjsip_inv_answer (inv=0x7fff8c009f28, st_code=st_code@entry=200, st_text=st_text@entry=0x0, local_sdp=local_sdp@entry=0x0, p_tdata=p_tdata@entry=0x7ffff0296d10) at ../src/pjsip-ua/sip_inv.c:2393
Thanks to Alfred Farrugia and Sandro Gauci from Enable Security for the finding and Kevin Harwell from Digium for the report.
CVE ID: CVE-2018-1000098
Change History (3)
comment:1 Changed 7 years ago by ming
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 7 years ago by ming
- Priority changed from normal to critical
comment:3 Changed 7 years ago by ming
- Description modified (diff)
Note: See
TracTickets for help on using
tickets.
In 5741: