## Summary - `rtpengine_raise_dtmf_event()` unconditionally dereferences all 10 `pv_spec_t*` pointers via `->setf()` when processing DTMF event JSON - These pointers are only non-NULL when the corresponding modparam is configured - Six new DTMF pvars added in 6.1 (`source_label`, `tags`, `type`, `source_ip`, `duration`, `volume`) cause SIGSEGV when users upgrade from 5.8 without adding the new modparams to their config - The fix wraps each `->setf()` call in a NULL check so unconfigured fields are silently skipped - Guards applied to all 10 pvars for defense-in-depth (the original 4 have the same vulnerability)
Fixes #4629 ## Crash Signature The reporter's `segfault at 10` matches our reproduction exactly — offset `0x10` is the `setf` function pointer in `pv_spec_t` on x86_64, confirming a NULL pointer dereference. ## Test Results **6.1 branch** (reporter's version): | Test | Version | Config | Result | |------|---------|--------|--------| | 1 | 6.1.1 (unpatched) | 4 original pvars | **SIGSEGV** — `segfault at 10` | | 2 | 5.8.8 | 4 original pvars | **No crash** — field ignored | | 3 | 6.1.1 (patched) | 4 original pvars | **No crash** — field skipped | | 4 | 6.1.1 (patched) | all 10 pvars | **No crash** — all fields populated | **master** (6.2.0-dev0): | Test | Version | Config | Result | |------|---------|--------|--------| | 5 | master (unpatched) | 4 original pvars | **SIGSEGV** — same crash | | 6 | master (patched) | 4 original pvars | **No crash** — field skipped | | 7 | master (patched) | all 10 pvars | **No crash** — all fields populated | ## Notes This is a minimal fix addressing the immediate crash. The module maintainers, being more familiar with the internals, may prefer a different approach — for example, restructuring the function to use a lookup table or requiring certain pvars when `dtmf_events_sock` is configured. Happy to adjust based on feedback. You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4637 -- Commit Summary -- * rtpengine: fix NULL pv_spec_t dereference in DTMF event handling -- File Changes -- M src/modules/rtpengine/rtpengine.c (354) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4637.patch https://github.com/kamailio/kamailio/pull/4637.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4637 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/[email protected]>
_______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
