libsrtp / Patches / #7 crash in rdb.c when many consecutive SRTCP packets are lost

crash in rdb.c when many consecutive SRTCP packets are lost

#7 crash in rdb.c when many consecutive SRTCP packets are lost

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2007-05-28

Created: 2007-05-28

Creator: Per Cederqvist

Private: No

The replay database contains a buffer overflow. If the first 513 RTCP packets are lost (or if an evil partner starts the RTCP index at 513 instead of 0) the rdb_add_index() function will attempt to modify memory outside of the rdb_t structure.

I enclose two patches. The first adds a new test case to replay_driver, which at least on my computer crashes with a segmentation fault. The second patch fixes the problem.

(rdbx.c seems to already contain the fix.)

Discussion

Per Cederqvist - 2007-05-28

New test case.

replay-driver.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Per Cederqvist - 2007-05-28

Fix for bug.

rdb.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Per Cederqvist - 2007-05-28

Logged In: YES
user_id=129207
Originator: YES

File Added: rdb.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jonathan Lennox - 2010-06-01

I believe this is the same problem that I discovered, and fixed, separately. I've added your test case to the rdb driver.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

crash in rdb.c when many consecutive SRTCP packets are lost

Group

Searches

Help

#7 crash in rdb.c when many consecutive SRTCP packets are lost

Discussion