< Previous by Date	Date Index	Next by Date >
	Thread Index	Next in Thread >

[reSIProcate] [PATCH] Reject connection with empty address

From: Nir Soffer <nirs@xxxxxxxxxxx>
Date: Thu, 2 Feb 2012 23:11:56 +0200

This patch fixes a random crash when SDP with empty address is received.

We have seen random crashes in the field and can reproduce them using this SDP:

v=0

o=- 2529516958 2458138078 IN IP4

s=VoipSIP

c=IN IP4

t=0 0

m=audio 0 RTP/AVP

When testing this in debug build, we get an empty address as expected. However, in a real application (optimized build), we get random crashes when handling this SDP.

The crashes usually happen in resip::Data::c_str.

Looking at core dumps, we see that mBuf is NULL or points to some unrelated static error string ("double free ..."). mSize is some random huge value (e.g. 138456879) and mMine has invalid huge values instead of the 3 possible enum values (e.g. resip::Data::Share).

We tried to fix the crashes by checking if the SDP is well formed and found that the parser does not detect the empty address.

The attached patch fix the parser to reject empty address.

Best regards,

Nir Soffer

Index: resip/stack/SdpContents.cxx
===================================================================
--- resip/stack/SdpContents.cxx	(revision 9371)
+++ resip/stack/SdpContents.cxx	(working copy)
@@ -557,7 +557,10 @@
    }
 
    anchor = pb.skipChar();
-   pb.skipToOneOf(Symbols::SLASH, Symbols::CRLF);
+   if (pb.skipToOneOf(Symbols::SLASH, Symbols::CRLF) == anchor)
+      // Empty address
+      pb.fail(__FILE__, __LINE__);
+
    pb.data(mAddress, anchor);
 
    mTTL = 0;
Index: resip/stack/test/testSdp.cxx
===================================================================
--- resip/stack/test/testSdp.cxx	(revision 9371)
+++ resip/stack/test/testSdp.cxx	(working copy)
@@ -554,6 +554,32 @@
        CritLog(<< "Received bad Dialogic fmtp line Ok");
     }
 
+   {
+      /* Connection with empty address - this sdp cause random crashes */
+      const char* txt = ("v=0\r\n"
+                         "o=- 2529516958 2458138078 IN IP4 \r\n"
+                         "s=VoipSIP\r\n"
+                         "c=IN IP4 \r\n"
+                         "t=0 0\r\n"
+                         "m=audio 0 RTP/AVP\r\n");
+
+      HeaderFieldValue hfv(txt, strlen(txt));
+      Mime type("application", "sdp");
+      SdpContents sdp(hfv, type);
+
+      if (sdp.isWellFormed()) {
+         CritLog(<< "Connection with empty address Failed");
+         // In debug build we empty string as expected. However, in optimized
+         // build in a real application we see null buffer, random huge size
+         // (e.g. 138574697), and invalid mMine values.
+         InfoLog(<< "address data == \"" << sdp.session().origin().getAddress() << "\"");
+         InfoLog(<< "address size == " << sdp.session().origin().getAddress().size());
+         assert(!sdp.isWellFormed());
+      }
+
+      CritLog(<< "Connection with empty address Ok");
+   }
+
    return 0;   
 }

Follow-Ups:
- Re: [reSIProcate] [PATCH] Reject connection with empty address
  - From: Scott Godin

Prev by Date: Re: [reSIProcate] Major Merge to Resiprocate SVN Trunk
Next by Date: Re: [reSIProcate] [PATCH] Reject connection with empty address
Previous by thread: Re: [reSIProcate] Major Merge to Resiprocate SVN Trunk
Next by thread: Re: [reSIProcate] [PATCH] Reject connection with empty address
Index(es):
- Date
- Thread