Ticket #2166 (closed defect: fixed)

Opened 8 days ago

Last modified 8 days ago

Possible buffer overread if RTCP packet length is invalid

Reported by: ming Owned by: nanang
Priority: major Milestone: release-2.9
Component: pjmedia Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

If RTCP packet length is invalid (contains a large number), there is a potential buffer overread, which may lead to crash when parsing the packet.

The problem is caused because when parsing, we pass the invalid length as the packet size in pjmedia_rtcp_rx_rtcp() (rtcp.c), for example:

	len = (pj_ntohs((pj_uint16_t)common->length)+1) * 4;
	....
        parse_rtcp_report(sess, p, len);

Change History

comment:1 Changed 8 days ago by ming

  • Status changed from new to closed
  • Resolution set to fixed

In 5919:

Fixed #2166: Possible buffer overread if RTCP packet length is invalid

Note: See TracTickets for help on using tickets.