[Ccrtp-devel] ccrtp aborts when receiving RTP BYE

[Michel de Boer]

Hi,

On reception of an RTP BYE packet from a Cisco SIP gateway, the RTP 
stack crashes.

The root cause for this crash is the QueueRTCPManager::getBYE can call 
onGotGoodbye with a NULL pointer for reason. The C++ string constructor 
is called with a NULL pointer. This causes an exception.

I don't know what all the code exactly does, but for the time being I 
fixed it as follows in my copy of ccrtp:

QueueRTCPManager::getBYE(RTCPPacket& pkt, size_t& pointer, size_t)
{
       if ( 0 == pkt.fh.block_count )
               return false;

       char *reason = NULL;

       if ( (sizeof(RTCPFixedHeader) + pkt.fh.block_count * sizeof(uint32))
            < pkt.getLength() ) {
               uint16 endpointer = pointer + sizeof(RTCPFixedHeader) +
                       pkt.fh.block_count * sizeof(uint32);
               uint16 len = rtcpRecvBuffer[endpointer];
               reason = new char[len + 1];
               memcpy(reason,rtcpRecvBuffer + endpointer + 1,len);
               reason[len] = '\0';
       } else {
               // MdB: added the else-leg to prevent a crash when
               //      reason is not allocated, so onGotGoodbye cannot
               //      be called. Converting reason to a C++ strings throws
               //      on exception when reason is a NULL pointer.
               reason = new char[1];
               reason[0] = '\0';
       }

The function backtrace of the crash is as follows:

#0  0x40945471 in kill () from /lib/libc.so.6
#1  0x407f2521 in pthread_kill () from /lib/libpthread.so.0
#2  0x407f283b in raise () from /lib/libpthread.so.0
#3  0x40945204 in raise () from /lib/libc.so.6
#4  0x40946830 in abort () from /lib/libc.so.6
#5  0x408c8805 in __cxxabiv1::__terminate(void (*)()) ()
  from /usr/lib/libstdc++.so.5
#6  0x408c8842 in std::terminate() () from /usr/lib/libstdc++.so.5
#7  0x408c89c2 in __cxa_throw () from /usr/lib/libstdc++.so.5
#8  0x40880340 in std::__throw_logic_error(char const*) ()
  from /usr/lib/libstdc++.so.5
#9  0x408babbe in char* std::string::_S_construct<char const*>(char 
const*, char
const*, std::allocator<char> const&, std::forward_iterator_tag) ()
  from /usr/lib/libstdc++.so.5
#10 0x408b68c9 in std::string::string(char const*, std::allocator<char> 
const&)
   () from /usr/lib/libstdc++.so.5
#11 0x4003da39 in 
ost::QueueRTCPManager::getBYE(ost::RTCPCompoundHandler::RTCPPa
cket&, unsigned&, unsigned) (this=0x826e5e0, address@hidden,
   address@hidden) at /usr/include/g++/bits/stl_alloc.h:652
#12 0x4003d59f in ost::QueueRTCPManager::takeInControlPacket() 
(this=0x826e5e0)
   at control.cpp:383
#13 0x4003cd79 in ost::QueueRTCPManager::controlReceptionService() (
   this=0x826e5e0) at control.cpp:202
---Type <return> to continue, or q <return> to quit---
#14 0x08109000 in ost::SingleThreadRTPSession<ost::RTPBaseUDPIPv4Socket, 
ost::RTPBaseUDPIPv4Socket, ost::AVPQueue>::run() ()
#15 0x40a68474 in ost::ThreadImpl::ThreadExecHandler(ost::Thread*) (
   th=0x826e558) at thread.cpp:1096
#16 0x40a673fc in ccxx_exec_handler (th=0x826e558) at thread.cpp:1122
#17 0x407efd80 in pthread_start_thread () from /lib/libpthread.so.0
#18 0x407efe7e in pthread_start_thread_event () from /lib/libpthread.so.0

Regards,
Michel