[sr-dev] Crash in rtpproxy-ng module
Hugh Waite
hugh.waite at crocodile-rcs.com
Wed Aug 28 19:44:24 CEST 2013
Hello,
I have discovered that calling rtpproxy_manage for a failure response
will cause a segfault if certain flags are passed.
E.g. A "488 Not Acceptable Here" response that calls
"rtpproxy_manage("fco+SP") during a failure_route will crash.
This is because the OP_DELETE operation does not initialise the flags
variable. See rtpproxy.c:1119 (rtpp_function_call(...))
I've attached a patch that will only add items to initialised lists. I
assume that no flags are required for a DELETE operation, but please
confirm this and review!
Regards,
Hugh
--
Hugh Waite
Principal Design Engineer
Crocodile RCS Ltd.
-------------- next part --------------
diff --git a/modules/rtpproxy-ng/rtpproxy.c b/modules/rtpproxy-ng/rtpproxy.c
index a86b23a..3288982 100644
--- a/modules/rtpproxy-ng/rtpproxy.c
+++ b/modules/rtpproxy-ng/rtpproxy.c
@@ -1156,18 +1156,18 @@ static bencode_item_t *rtpp_function_call(bencode_buffer_t *bencbuf, struct sip_
case 'a':
case 'A':
- bencode_list_add_string(flags, "asymmetric");
- bencode_list_add_string(flags, "trust-address");
+ if (flags) bencode_list_add_string(flags, "asymmetric");
+ if (flags) bencode_list_add_string(flags, "trust-address");
break;
case 'i':
case 'I':
- bencode_list_add_string(direction, "internal");
+ if (direction) bencode_list_add_string(direction, "internal");
break;
case 'e':
case 'E':
- bencode_list_add_string(direction, "external");
+ if (direction) bencode_list_add_string(direction, "external");
break;
case 'l':
@@ -1181,32 +1181,32 @@ static bencode_item_t *rtpp_function_call(bencode_buffer_t *bencbuf, struct sip_
case 'r':
case 'R':
- bencode_list_add_string(flags, "trust-address");
+ if (flags) bencode_list_add_string(flags, "trust-address");
break;
case 'o':
case 'O':
- bencode_list_add_string(replace, "origin");
+ if (replace) bencode_list_add_string(replace, "origin");
break;
case 'c':
case 'C':
- bencode_list_add_string(replace, "session-connection");
+ if (replace) bencode_list_add_string(replace, "session-connection");
break;
case 'f':
case 'F':
- bencode_list_add_string(flags, "force");
+ if (flags) bencode_list_add_string(flags, "force");
break;
case 'w':
case 'W':
- bencode_list_add_string(flags, "symmetric");
+ if (flags) bencode_list_add_string(flags, "symmetric");
break;
case 'x':
case 'X':
- bencode_list_add_string(flags, "auto-bridge");
+ if (flags) bencode_list_add_string(flags, "auto-bridge");
break;
case 't':
More information about the sr-dev
mailing list