LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1756 Commits
1 Branch
46 MiB
Tree: cceb3799e3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cceb3799e3'
${ noResults }
openwrt-packages-dist/sound/pulseaudio/patches/002-rtp-recv-fix-crash-on-e...

57 lines
2.1 KiB
Raw Normal View History

pulseaudio: fix CVE-2014-3970 Signed-off-by: Jiri Slachta <slachta@cesnet.cz>
10 years ago
 
  1. From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
  2. From: "Alexander E. Patrakov" <patrakov@gmail.com>
  3. Date: Thu, 5 Jun 2014 22:29:25 +0600
  4. Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
  5. 

  6. On FIONREAD returning 0 bytes, we cannot return success, as the caller
  7. (rtpoll_work_cb in module-rtp-recv.c) would then try to
  8. pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
  9. an assertion.
  10. 

  11. Also we have to read out the possible empty packet from the socket, so
  12. that the kernel doesn't tell us again and again about it.
  13. 

  14. Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
  15. ---

  16.  src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
  17.  1 file changed, 23 insertions(+), 2 deletions(-)
  18. 

  19. diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c

  20. index 570737e..7b75e0e 100644

  21. --- a/src/modules/rtp/rtp.c

  22. +++ b/src/modules/rtp/rtp.c

  23. @@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct

  24.          goto fail;
  25.      }
  26.  
  27. -    if (size <= 0)

  28. -        return 0;

  29. +    if (size <= 0) {

  30. +        /* size can be 0 due to any of the following reasons:

  31. +         *

  32. +         * 1. Somebody sent us a perfectly valid zero-length UDP packet.

  33. +         * 2. Somebody sent us a UDP packet with a bad CRC.

  34. +         *

  35. +         * It is unknown whether size can actually be less than zero.

  36. +         *

  37. +         * In the first case, the packet has to be read out, otherwise the

  38. +         * kernel will tell us again and again about it, thus preventing

  39. +         * reception of any further packets. So let's just read it out

  40. +         * now and discard it later, when comparing the number of bytes

  41. +         * received (0) with the number of bytes wanted (1, see below).

  42. +         *

  43. +         * In the second case, recvmsg() will fail, thus allowing us to

  44. +         * return the error.

  45. +         *

  46. +         * Just to avoid passing zero-sized memchunks and NULL pointers to

  47. +         * recvmsg(), let's force allocation of at least one byte by setting

  48. +         * size to 1.

  49. +         */

  50. +        size = 1;

  51. +    }

  52.  
  53.      if (c->memchunk.length < (unsigned) size) {
  54.          size_t l;
  55. -- 

  56. 2.0.0
  57.