From 2fc65173e56910f72ca9a432290f49dd7a3aa82e Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Wed, 21 Dec 2016 17:55:48 -0600 Subject: res_rtp_asterisk.c: Initialize ourip passed to ast_find_ourip(). We access uninitialized memory when the 'ourip' parameter does not have an initial guess to our IP address. ASTERISK-26672 Change-Id: I35507ea1ad7455d2be188f6ccdd4add7bd150e15 --- res/res_rtp_asterisk.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index b78fc30bd..1721811ee 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -4912,9 +4912,11 @@ static void ast_rtp_prop_set(struct ast_rtp_instance *instance, enum ast_rtp_pro ast_sockaddr_set_port(&rtp->rtcp->us, ast_sockaddr_port(&rtp->rtcp->us) + 1); + ast_sockaddr_copy(&local_addr, &rtp->rtcp->us); if (!ast_find_ourip(&local_addr, &rtp->rtcp->us, 0)) { ast_sockaddr_set_port(&local_addr, ast_sockaddr_port(&rtp->rtcp->us)); } else { + /* Failed to get local address reset to use default. */ ast_sockaddr_copy(&local_addr, &rtp->rtcp->us); } -- cgit v1.2.3 From 67b47191e9cc7f329d8a6803eb49f8cba8e68b1d Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Wed, 21 Dec 2016 17:54:42 -0600 Subject: chan_rtp.c: Fix uninitialized memory crash. unicast_rtp_request() could pass an uninitialized 'us' parameter to ast_ouraddrfor(). If ast_ouraddrfor() returns an error then the 'us' parameter may not get initialized. Thus when the code tries to save the 'us' parameter to the local address we could try to copy a ridiculous sized memory buffer and segfault. * Made pass an initialized 'us' parameter to ast_ouraddrfor() and abort the UnicastRTP channel request if it fails. ASTERISK-26672 Change-Id: I1ef7a7c09f4da4f15dcb6de660d2bcac5f2a95c0 --- channels/chan_rtp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/channels/chan_rtp.c b/channels/chan_rtp.c index 1c824fecc..6eec91e22 100644 --- a/channels/chan_rtp.c +++ b/channels/chan_rtp.c @@ -314,7 +314,12 @@ static struct ast_channel *unicast_rtp_request(const char *type, struct ast_form engine_name = S_COR(ast_test_flag(&opts, OPT_RTP_ENGINE), opt_args[OPT_ARG_RTP_ENGINE], "asterisk"); - ast_ouraddrfor(&address, &local_address); + ast_sockaddr_copy(&local_address, &address); + if (ast_ouraddrfor(&address, &local_address)) { + ast_log(LOG_ERROR, "Could not get our address for sending media to '%s'\n", + args.destination); + goto failure; + } instance = ast_rtp_instance_new(engine_name, NULL, &local_address, NULL); if (!instance) { ast_log(LOG_ERROR, -- cgit v1.2.3 From b576b58d74e2ec85bdd4ea62912261896beee976 Mon Sep 17 00:00:00 2001 From: Richard Mudgett Date: Wed, 21 Dec 2016 16:28:00 -0600 Subject: res_rtp_asterisk.c: Fix uninitialized memory crash. ast_rtp_remote_address_set() could pass an uninitialized 'us' parameter to ast_ouraddrfor(). If ast_ouraddrfor() returns an error then the 'us' parameter may not get initialized. Thus when the code tries to save the 'us' parameter to the local address we could try to copy a ridiculous sized memory buffer and segfault. * Made pass an initialized 'us' parameter to ast_ouraddrfor(). * Optimized out the 'us' struct variable. ASTERISK-26672 #close Change-Id: I4acea5dcdf0813da2c7d3e11c2d6067d160d17dc --- res/res_rtp_asterisk.c | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c index 1721811ee..4c79f8f5b 100644 --- a/res/res_rtp_asterisk.c +++ b/res/res_rtp_asterisk.c @@ -5005,31 +5005,31 @@ static int ast_rtp_fd(struct ast_rtp_instance *instance, int rtcp) static void ast_rtp_remote_address_set(struct ast_rtp_instance *instance, struct ast_sockaddr *addr) { struct ast_rtp *rtp = ast_rtp_instance_get_data(instance); - struct ast_sockaddr local, us; + struct ast_sockaddr local; + ast_rtp_instance_get_local_address(instance, &local); if (!ast_sockaddr_isnull(addr)) { /* Update the local RTP address with what is being used */ - ast_ouraddrfor(addr, &us); - ast_rtp_instance_get_local_address(instance, &local); - ast_sockaddr_set_port(&us, ast_sockaddr_port(&local)); - ast_rtp_instance_set_local_address(instance, &us); + if (ast_ouraddrfor(addr, &local)) { + /* Failed to update our address so reuse old local address */ + ast_rtp_instance_get_local_address(instance, &local); + } else { + ast_rtp_instance_set_local_address(instance, &local); + } } if (rtp->rtcp) { ast_debug(1, "Setting RTCP address on RTP instance '%p'\n", instance); ast_sockaddr_copy(&rtp->rtcp->them, addr); if (!ast_sockaddr_isnull(addr)) { - ast_sockaddr_set_port(&rtp->rtcp->them, - ast_sockaddr_port(addr) + 1); - } + ast_sockaddr_set_port(&rtp->rtcp->them, ast_sockaddr_port(addr) + 1); - if (!ast_sockaddr_isnull(addr)) { /* Update the local RTCP address with what is being used */ - ast_sockaddr_set_port(&us, ast_sockaddr_port(&local) + 1); - ast_sockaddr_copy(&rtp->rtcp->us, &us); + ast_sockaddr_set_port(&local, ast_sockaddr_port(&local) + 1); + ast_sockaddr_copy(&rtp->rtcp->us, &local); ast_free(rtp->rtcp->local_addr_str); - rtp->rtcp->local_addr_str = ast_strdup(ast_sockaddr_stringify(&us)); + rtp->rtcp->local_addr_str = ast_strdup(ast_sockaddr_stringify(&local)); } } @@ -5039,8 +5039,6 @@ static void ast_rtp_remote_address_set(struct ast_rtp_instance *instance, struct rtp->strict_rtp_state = STRICT_RTP_LEARN; rtp_learning_seq_init(&rtp->rtp_source_learn, rtp->seqno); } - - return; } /*! \brief Write t140 redundacy frame -- cgit v1.2.3