< Previous by Date	Date Index	Next by Date >
	Thread Index	Next in Thread >

[reSIProcate] [patch] possible memory corruption in SDP codec handling

From: Robert Szokovacs <robert.szokovacs@xxxxxxxxxxx>
Date: Mon, 07 Nov 2011 15:12:34 +0100

Hi,

In a usual valgrind run, we noticed that is we call 
SdpContents::Session::Medium::codecs() then copy the Medium object, we get 
memory reads from places we should not access. The bug was tracked down to be 
a misunderstaning between Codec::parse() and the Medium's AttributeHelper, the 
AttributeHelper free's up the memory that was used by parse(). Patch and 
testcase to reproduce attached.

br

Szo

Index: resip/stack/SdpContents.cxx
===================================================================
--- resip/stack/SdpContents.cxx	(revision 9296)
+++ resip/stack/SdpContents.cxx	(working copy)
@@ -1771,7 +1771,7 @@
 {
    const char* anchor = pb.skipWhitespace();
    pb.skipToChar(Symbols::SLASH[0]);
-   pb.data(mName, anchor);
+   mName = pb.data(anchor);
    if(!pb.eof())
    {
       pb.skipChar(Symbols::SLASH[0]);
@@ -1782,7 +1782,7 @@
    {
       anchor = pb.skipChar(Symbols::SLASH[0]);
       pb.skipToEnd();
-      pb.data(mEncodingParameters, anchor);
+      mEncodingParameters = pb.data(anchor);
    }
    mPayloadType = payloadType;
 
@@ -1806,7 +1806,7 @@
             {
                const char* anchor = pb.skipWhitespace();
                pb.skipToEnd();
-               pb.data(mParameters, anchor);
+               mParameters = pb.data(anchor);
                break;
             }
          }

/*
 * compile:
 * g++ -o tester tester.cxx -ldum -lresip -lrutil -lares -lrt -lpthread -rdynamic -Wall -g -I/usr/local/include 
 *
 */

#include <iostream>

#include "resip/stack/SipMessage.hxx"
#include "resip/stack/SdpContents.hxx"

using namespace resip;
using namespace std;

void testValgrind()
{
  Data txt("INVITE sip:xxx.xxx.2.92:5100;q=1 SIP/2.0\r\n"
  "To: <sip:dsadsadsadsadsadsa.com@xxxxxxxxxxxxxxxxx>\r\n"
  "From: dsadsadsadsa<sip:dadsadsadsadsadsdaddsa@xxxxxxxxxxxxxxxxx>;tag=ba1aee2d\r\n"
  "Via: SIP/2.0/UDP xxx.xxx.2.220:5060;branch=z9hG4bK-c87542-da4d3e6a.0-1--c87542-;rport=5060;received=xxx.xxx.2.220;stid=579667358\r\n"
  "Via: SIP/2.0/UDP xxx.xxx.2.15:5100;branch=z9hG4bK-c87542-579667358-1--c87542-;rport=5100;received=xxx.xxx.2.15\r\n"
  "Call-ID: 6c64b42fce01b007\r\n"
  "CSeq: 2 INVITE\r\n"
  "Record-Route: <sip:proxy@xxxxxxx.2.220:5060;lr>\r\n"
  "Contact: <sip:xxx.xxx.2.15:5100>\r\n"
  "Max-Forwards: 69\r\n"
  "Content-Type: application/sdp\r\n"
  "Content-Length: 137\r\n"
  "\r\n"
  "v=0\r\n"
  "o=M2TUA 1589993278 1032390928 IN IP4 xxx.xxx.2.16\r\n"
  "s=-\r\n"
  "c=IN IP4 xxx.xxx.2.15\r\n"
  "t=0 0\r\n"
  "m=audio 9000 RTP/AVP 8\r\n"
  "a=rtpmap:8 PCMA/8000\r\n"
  );
  
  auto_ptr<SipMessage> msg(SipMessage::make(txt,false));
  SdpContents* sdp = dynamic_cast<SdpContents*>(msg->getContents());

  SdpContents::Session::Medium m = *(sdp->session().media().begin());
  list<SdpContents::Session::Codec> x = m.codecs();
  SdpContents::Session::Medium m2(m);
}

int main(int argc, char **argv)
{
  testValgrind();
  return 0;
}

Follow-Ups:
- Re: [reSIProcate] [patch] possible memory corruption in SDP codec handling
  - From: Aron Rosenberg

Prev by Date: Re: [reSIProcate] repro doesn't react to sip INVITE in a remote server, but works correctly in LAN
Next by Date: [reSIProcate] question about sipstack not running on default 5060
Previous by thread: Re: [reSIProcate] repro doesn't react to sip INVITE in a remote server, but works correctly in LAN
Next by thread: Re: [reSIProcate] [patch] possible memory corruption in SDP codec handling
Index(es):
- Date
- Thread