kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-30 10:33:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

AST-2021-008 - chan_iax2: remote crash on unsupported media format

Browse Source 
If chan_iax2 received a packet with an unsupported media format, for
example vp9, then it would set the frame's format to NULL. This could
then result in a crash later when an attempt was made to access the
format.

This patch makes it so chan_iax2 now ignores/drops frames received
with unsupported media format types.

ASTERISK-29392 #close

Change-Id: Ifa869a90dafe33eed8fd9463574fe6f1c0ad3eb1
This commit is contained in:
Kevin Harwell
2021-05-10 17:59:00 -05:00
committed by Friendly Automation
parent 523a795289
commit 2a141a58b6
1 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
channels/chan_iax2.c
View File

@@ -4132,6 +4132,7 @@ static void __get_from_jb(const void *p)
long ms; long ms;
long next; long next;
struct timeval now = ast_tvnow(); struct timeval now = ast_tvnow();
struct ast_format *voicefmt;
/* Make sure we have a valid private structure before going on */ /* Make sure we have a valid private structure before going on */
ast_mutex_lock(&iaxsl[callno]); ast_mutex_lock(&iaxsl[callno]);
@@ -4151,10 +4152,9 @@ static void __get_from_jb(const void *p)
ms = ast_tvdiff_ms(now, pvt->rxcore); ms = ast_tvdiff_ms(now, pvt->rxcore);
if(ms >= (next = jb_next(pvt->jb))) { voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat);
struct ast_format *voicefmt; if (voicefmt && ms >= (next = jb_next(pvt->jb))) {
voicefmt = ast_format_compatibility_bitfield2format(pvt->voiceformat); ret = jb_get(pvt->jb, &frame, ms, ast_format_get_default_ms(voicefmt));
ret = jb_get(pvt->jb, &frame, ms, voicefmt ? ast_format_get_default_ms(voicefmt) : 20);
switch(ret) { switch(ret) {
case JB_OK: case JB_OK:
fr = frame.data; fr = frame.data;
@@ -4182,7 +4182,7 @@ static void __get_from_jb(const void *p)
pvt = iaxs[callno]; pvt = iaxs[callno];
} }
} }
break; break;
case JB_DROP: case JB_DROP:
iax2_frame_free(frame.data); iax2_frame_free(frame.data);
break; break;
@@ -6451,8 +6451,14 @@ static int decode_frame(ast_aes_decrypt_key *dcx, struct ast_iax2_full_hdr *fh,
f->frametype = fh->type; f->frametype = fh->type;
if (f->frametype == AST_FRAME_VIDEO) { if (f->frametype == AST_FRAME_VIDEO) {
f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1)); f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40) | ((fh->csub >> 6) & 0x1));
if (!f->subclass.format) {
f->subclass.format = ast_format_none;
}
} else if (f->frametype == AST_FRAME_VOICE) { } else if (f->frametype == AST_FRAME_VOICE) {
f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub)); f->subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
if (!f->subclass.format) {
f->subclass.format = ast_format_none;
}
} else { } else {
f->subclass.integer = uncompress_subclass(fh->csub); f->subclass.integer = uncompress_subclass(fh->csub);
} }
@@ -9929,8 +9935,8 @@ static int socket_process_meta(int packet_len, struct ast_iax2_meta_hdr *meta, s
} else if (iaxs[fr->callno]->voiceformat == 0) { } else if (iaxs[fr->callno]->voiceformat == 0) {
ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n"); ast_log(LOG_WARNING, "Received trunked frame before first full voice frame\n");
iax2_vnak(fr->callno); iax2_vnak(fr->callno);
} else { } else if ((f.subclass.format = ast_format_compatibility_bitfield2format(
f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat); iaxs[fr->callno]->voiceformat))) {
f.datalen = len; f.datalen = len;
if (f.datalen >= 0) { if (f.datalen >= 0) {
if (f.datalen) if (f.datalen)
@@ -10173,11 +10179,17 @@ static int socket_process_helper(struct iax2_thread *thread)
f.frametype = fh->type; f.frametype = fh->type;
if (f.frametype == AST_FRAME_VIDEO) { if (f.frametype == AST_FRAME_VIDEO) {
f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40)); f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub & ~0x40));
if (!f.subclass.format) {
return 1;
}
if ((fh->csub >> 6) & 0x1) { if ((fh->csub >> 6) & 0x1) {
f.subclass.frame_ending = 1; f.subclass.frame_ending = 1;
} }
} else if (f.frametype == AST_FRAME_VOICE) { } else if (f.frametype == AST_FRAME_VOICE) {
f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub)); f.subclass.format = ast_format_compatibility_bitfield2format(uncompress_subclass(fh->csub));
if (!f.subclass.format) {
return 1;
}
} else { } else {
f.subclass.integer = uncompress_subclass(fh->csub); f.subclass.integer = uncompress_subclass(fh->csub);
} }
@@ -11795,6 +11807,11 @@ immediatedial:
f.subclass.frame_ending = 1; f.subclass.frame_ending = 1;
} }
f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat); f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->videoformat);
if (!f.subclass.format) {
ast_variables_destroy(ies.vars);
ast_mutex_unlock(&iaxsl[fr->callno]);
return 1;
}
} else { } else {
ast_log(LOG_WARNING, "Received mini frame before first full video frame\n"); ast_log(LOG_WARNING, "Received mini frame before first full video frame\n");
iax2_vnak(fr->callno); iax2_vnak(fr->callno);
@@ -11816,9 +11833,14 @@ immediatedial:
} else { } else {
/* A mini frame */ /* A mini frame */
f.frametype = AST_FRAME_VOICE; f.frametype = AST_FRAME_VOICE;
if (iaxs[fr->callno]->voiceformat > 0) if (iaxs[fr->callno]->voiceformat > 0) {
f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat); f.subclass.format = ast_format_compatibility_bitfield2format(iaxs[fr->callno]->voiceformat);
else { if (!f.subclass.format) {
ast_variables_destroy(ies.vars);
ast_mutex_unlock(&iaxsl[fr->callno]);
return 1;
}
} else {
ast_debug(1, "Received mini frame before first full voice frame\n"); ast_debug(1, "Received mini frame before first full voice frame\n");
iax2_vnak(fr->callno); iax2_vnak(fr->callno);
ast_variables_destroy(ies.vars); ast_variables_destroy(ies.vars);