[reSIProcate] [PATCH] Reject connection with empty address

[Scott Godin]

Hi Nir,

Thanks for posting this.  However, I was unable to reproduce any side
effects of this SDP parsing code using SVN mainline.  Perhaps a bug fix in
ParseBuffer, or Data has already fixed this.  I don't see any problems with
the code that produces the empty connection address, and calling c_str on
this should cause the Data buffer to get reallocated to make room for a
null terminator.  Were you using an older resip release?  Let me know if
you think I'm missing something.

Scott

On Thu, Feb 2, 2012 at 4:11 PM, Nir Soffer <nirs at hyperms.com> wrote:

> This patch fixes a random crash when SDP with empty address is received.
>
> We have seen random crashes in the field and can reproduce them using this
> SDP:
>
> v=0
>
> o=- 2529516958 2458138078 IN IP4
> s=VoipSIP
> c=IN IP4
> t=0 0
> m=audio 0 RTP/AVP
>
> When testing this in debug build, we get an empty address as expected.
> However, in a real application (optimized build), we get random crashes
> when handling this SDP.
>
> The crashes usually happen in resip::Data::c_str.
>
> Looking at core dumps, we see that mBuf is NULL or points to some
> unrelated static error string ("double free ..."). mSize is some random
> huge value (e.g. 138456879) and mMine has invalid huge values instead of
> the 3 possible enum values (e.g. resip::Data::Share).
>
> We tried to fix the crashes by checking if the SDP is well formed and
> found that the parser does not detect the empty address.
>
> The attached patch fix the parser to reject empty address.
>
> Best regards,
> Nir Soffer
>
>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel at resiprocate.org
> https://list.resiprocate.org/mailman/listinfo/resiprocate-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20120203/6578f22e/attachment.htm>