[sr-dev] Crash in rtpproxy-ng module

[Hugh Waite]

Hello,

I have discovered that calling rtpproxy_manage for a failure response 
will cause a segfault if certain flags are passed.
E.g. A "488 Not Acceptable Here" response that calls 
"rtpproxy_manage("fco+SP") during a failure_route will crash.

This is because the OP_DELETE operation does not initialise the flags 
variable. See rtpproxy.c:1119 (rtpp_function_call(...))

I've attached a patch that will only add items to initialised lists. I 
assume that no flags are required for a DELETE operation, but please 
confirm this and review!

Regards,
Hugh

--
Hugh Waite
Principal Design Engineer
Crocodile RCS Ltd.

diff --git a/modules/rtpproxy-ng/rtpproxy.c b/modules/rtpproxy-ng/rtpproxy.c
index a86b23a..3288982 100644
--- a/modules/rtpproxy-ng/rtpproxy.c
+++ b/modules/rtpproxy-ng/rtpproxy.c
@@ -1156,18 +1156,18 @@ static bencode_item_t 
*rtpp_function_call(bencode_buffer_t *bencbuf, struct sip_
 
                case 'a':
                case 'A':
-                       bencode_list_add_string(flags, "asymmetric");
-                       bencode_list_add_string(flags, "trust-address");
+                       if (flags) bencode_list_add_string(flags, "asymmetric");
+                       if (flags) bencode_list_add_string(flags, 
"trust-address");
                        break;
 
                case 'i':
                case 'I':
-                       bencode_list_add_string(direction, "internal");
+                       if (direction) bencode_list_add_string(direction, 
"internal");
                        break;
 
                case 'e':
                case 'E':
-                       bencode_list_add_string(direction, "external");
+                       if (direction) bencode_list_add_string(direction, 
"external");
                        break;
 
                case 'l':
@@ -1181,32 +1181,32 @@ static bencode_item_t 
*rtpp_function_call(bencode_buffer_t *bencbuf, struct sip_
 
                case 'r':
                case 'R':
-                       bencode_list_add_string(flags, "trust-address");
+                       if (flags) bencode_list_add_string(flags, 
"trust-address");
                        break;
 
                case 'o':
                case 'O':
-                       bencode_list_add_string(replace, "origin");
+                       if (replace) bencode_list_add_string(replace, "origin");
                        break;
 
                case 'c':
                case 'C':
-                       bencode_list_add_string(replace, "session-connection");
+                       if (replace) bencode_list_add_string(replace, 
"session-connection");
                        break;
 
                case 'f':
                case 'F':
-                       bencode_list_add_string(flags, "force");
+                       if (flags) bencode_list_add_string(flags, "force");
                        break;
 
                case 'w':
                case 'W':
-                       bencode_list_add_string(flags, "symmetric");
+                       if (flags) bencode_list_add_string(flags, "symmetric");
                        break;
 
                case 'x':
                case 'X':
-                       bencode_list_add_string(flags, "auto-bridge");
+                       if (flags) bencode_list_add_string(flags, 
"auto-bridge");
                        break;
 
                case 't':
_______________________________________________
sr-dev mailing list
sr-dev@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev