Opened 6 months ago

Closed 6 months ago

#2166 closed defect (fixed)

Possible buffer overread if RTCP packet length is invalid

Reported by: ming Owned by: nanang
Priority: major Milestone: release-2.9
Component: pjmedia Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported: no

Description

If RTCP packet length is invalid (contains a large number), there is a potential buffer overread, which may lead to crash when parsing the packet.

The problem is caused because when parsing, we pass the invalid length as the packet size in pjmedia_rtcp_rx_rtcp() (rtcp.c), for example:

	len = (pj_ntohs((pj_uint16_t)common->length)+1) * 4;
	....
        parse_rtcp_report(sess, p, len);

Change History (1)

comment:1 Changed 6 months ago by ming

  • Resolution set to fixed
  • Status changed from new to closed

In 5919:

Fixed #2166: Possible buffer overread if RTCP packet length is invalid

Note: See TracTickets for help on using tickets.