[sr-dev] Crash in rtpproxy-ng module

Hugh Waite hugh.waite at crocodile-rcs.com
Wed Aug 28 19:44:24 CEST 2013


Hello,

I have discovered that calling rtpproxy_manage for a failure response 
will cause a segfault if certain flags are passed.
E.g. A "488 Not Acceptable Here" response that calls 
"rtpproxy_manage("fco+SP") during a failure_route will crash.

This is because the OP_DELETE operation does not initialise the flags 
variable. See rtpproxy.c:1119 (rtpp_function_call(...))

I've attached a patch that will only add items to initialised lists. I 
assume that no flags are required for a DELETE operation, but please 
confirm this and review!

Regards,
Hugh

-- 
Hugh Waite
Principal Design Engineer
Crocodile RCS Ltd.

-------------- next part --------------
diff --git a/modules/rtpproxy-ng/rtpproxy.c b/modules/rtpproxy-ng/rtpproxy.c
index a86b23a..3288982 100644
--- a/modules/rtpproxy-ng/rtpproxy.c
+++ b/modules/rtpproxy-ng/rtpproxy.c
@@ -1156,18 +1156,18 @@ static bencode_item_t *rtpp_function_call(bencode_buffer_t *bencbuf, struct sip_
 
 		case 'a':
 		case 'A':
-			bencode_list_add_string(flags, "asymmetric");
-			bencode_list_add_string(flags, "trust-address");
+			if (flags) bencode_list_add_string(flags, "asymmetric");
+			if (flags) bencode_list_add_string(flags, "trust-address");
 			break;
 
 		case 'i':
 		case 'I':
-			bencode_list_add_string(direction, "internal");
+			if (direction) bencode_list_add_string(direction, "internal");
 			break;
 
 		case 'e':
 		case 'E':
-			bencode_list_add_string(direction, "external");
+			if (direction) bencode_list_add_string(direction, "external");
 			break;
 
 		case 'l':
@@ -1181,32 +1181,32 @@ static bencode_item_t *rtpp_function_call(bencode_buffer_t *bencbuf, struct sip_
 
 		case 'r':
 		case 'R':
-			bencode_list_add_string(flags, "trust-address");
+			if (flags) bencode_list_add_string(flags, "trust-address");
 			break;
 
 		case 'o':
 		case 'O':
-			bencode_list_add_string(replace, "origin");
+			if (replace) bencode_list_add_string(replace, "origin");
 			break;
 
 		case 'c':
 		case 'C':
-			bencode_list_add_string(replace, "session-connection");
+			if (replace) bencode_list_add_string(replace, "session-connection");
 			break;
 
 		case 'f':
 		case 'F':
-			bencode_list_add_string(flags, "force");
+			if (flags) bencode_list_add_string(flags, "force");
 			break;
 
 		case 'w':
 		case 'W':
-			bencode_list_add_string(flags, "symmetric");
+			if (flags) bencode_list_add_string(flags, "symmetric");
 			break;
 
 		case 'x':
 		case 'X':
-			bencode_list_add_string(flags, "auto-bridge");
+			if (flags) bencode_list_add_string(flags, "auto-bridge");
 			break;
 
 		case 't':


More information about the sr-dev mailing list