![(please configure the [header_logo] section in trac.ini)](/repos/chrome/site/pj.jpg)
Opened 5 years ago
Closed 5 years ago
#2166 closed defect (fixed)
Possible buffer overread if RTCP packet length is invalid
| Reported by: | ming | Owned by: | nanang |
|---|---|---|---|
| Priority: | major | Milestone: | release-2.9 |
| Component: | pjmedia | Version: | trunk |
| Keywords: | Cc: | ||
| Backport to 1.x milestone: | Backported: | no |
Description
If RTCP packet length is invalid (contains a large number), there is a potential buffer overread, which may lead to crash when parsing the packet.
The problem is caused because when parsing, we pass the invalid length as the packet size in pjmedia_rtcp_rx_rtcp() (rtcp.c), for example:
len = (pj_ntohs((pj_uint16_t)common->length)+1) * 4;
....
parse_rtcp_report(sess, p, len);
Change History (1)
comment:1 Changed 5 years ago by ming
- Resolution set to fixed
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
In 5919: