Re: [Linphone-developers] invalid memory access in ortp 0.27.0 with socket in connected mode

[BOITEUX, Frederic]

For your information, I've applied the simple attached patch, and basic tests 
worked (with other unrelated small fixes).

        With regards,
                Fred.

-----Message d'origine-----
De : Linphone-developers [mailto:address@hidden De la part de BOITEUX, Frederic
Envoyé : jeudi 29 décembre 2016 11:04
À : 'address@hidden'
Objet : [Linphone-developers] invalid memory access in ortp 0.27.0 with socket 
in connected mode

        Hello,

  I'm trying to update our use of oRTP library (currently 0.23.0) with latest 
release (0.27.0), and running first tests, I found a problem leading to crash 
in rtp_session_rtp_recv_abstract() function, when it's trying to copy 'from' 
address into msg->net_addr field :

#0  rtp_session_rtp_recv_abstract (socket=<optimized out>, 
    address@hidden, address@hidden, from=0x0, fromlen=0x0)
    at rtpsession_inet.c:1338
1338                    memcpy(&msg->net_addr,from,*fromlen);

The 'from' and 'fromlen' parameters are NULL in socket connected mode, so it 
should test it before to try reading them !


This code was added in following commit :

commit ec6c4d525eb74a84c375ada341569aac1f7c6976
Author: Sylvain Berfini <address@hidden>
Date:   Thu Oct 29 16:29:58 2015 +0100

    Reworked a few things to make packet injection in reception possible .
@@ -1322,6 +1321,9 @@ int rtp_session_rtp_recv_abstract(ortp_socket_t socket, 
mblk _t *msg, int flags,
                        }
 #endif
                }
+               /*store recv addr for use by modifiers*/
+               memcpy(&msg->net_addr,from,*fromlen);
+               msg->net_addrlen = *fromlen;
        }
        return ret;
 }

This commit has the same kind of lines added or removed in other places.

I'll try to add a test to prevent running this code is from or fromlen is NULL, 
but I don't know if it's sufficient or the good fix for this problem : could 
you check this problem in a more global manner ?

        Thanks,
                Fred Boiteux.

This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is intended only for the person to whom 
it is addressed. If you are not the intended recipient, you are not authorized 
to read, print, retain, copy, disseminate, distribute, or use this message or 
any part thereof. If you receive this message in error, please notify the 
sender immediately and delete all copies of this message.


_______________________________________________
Linphone-developers mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/linphone-developers
This message contains information that may be privileged or confidential and is 
the property of the Capgemini Group. It is intended only for the person to whom 
it is addressed. If you are not the intended recipient, you are not authorized 
to read, print, retain, copy, disseminate, distribute, or use this message or 
any part thereof. If you receive this message in error, please notify the 
sender immediately and delete all copies of this message.

fix_invalid_mem_access_with_from_address.patch
Description: fix_invalid_mem_access_with_from_address.patch