Asterisk segfault because of 0 length rtcp in res_srtp.c

Hi,
Every few hours Asterisk is getting crashed because of a segfault.

Trace:

(gdb) bt
#0 0x00007f52ff0c91fb in octet_string_is_eq () from /lib64/libsrtp.so.0
#1 0x00007f52ff0c2ab4 in srtp_unprotect_rtcp () from /lib64/libsrtp.so.0
#2 0x00007f52ff2d4d50 in ast_srtp_unprotect (srtp=0x7f5140026f60, buf=0x7f528c037490, len=0x7f51bf1580f4, rtcp=1) at res_srtp.c:346
#3 0x00007f5258540061 in __rtp_recvfrom (instance=0x7f528c034ff0, buf=0x7f528c037490, size=8192, flags=0, sa=0x7f51bf158440, rtcp=0) at res_rtp_asterisk.c:2716
#4 0x00007f5258540108 in rtp_recvfrom (instance=0x7f528c034ff0, buf=0x7f528c037490, size=8192, flags=0, sa=0x7f51bf158440) at res_rtp_asterisk.c:2732
#5 0x00007f5258549ffc in ast_rtp_read (instance=0x7f528c034ff0, rtcp=0) at res_rtp_asterisk.c:5387
#6 0x000000000059ad20 in ast_rtp_instance_read (instance=0x7f528c034ff0, rtcp=0) at rtp_engine.c:516
#7 0x00007f5255a04a74 in sip_rtp_read (ast=0x7f528c05f490, p=0x7f528c033310, faxdetect=0x7f51bf158734) at chan_sip.c:8557
#8 0x00007f5255a052c1 in sip_read (ast=0x7f528c05f490) at chan_sip.c:8663
#9 0x00000000004b6d75 in __ast_read (chan=0x7f528c05f490, dropaudio=0) at channel.c:3969
#10 0x00000000004b8b37 in ast_read (chan=0x7f528c05f490) at channel.c:4401
#11 0x000000000048612b in bridge_handle_trip (bridge_channel=0x7f528c062aa0) at bridge_channel.c:2447
#12 0x0000000000486632 in bridge_channel_wait (bridge_channel=0x7f528c062aa0) at bridge_channel.c:2617
#13 0x0000000000486d24 in bridge_channel_internal_join (bridge_channel=0x7f528c062aa0) at bridge_channel.c:2763
#14 0x000000000046cbf0 in bridge_channel_ind_thread (data=0x7f528c062aa0) at bridge.c:1782
#15 0x0000000000606304 in dummy_start (data=0x7f528c078bc0) at utils.c:1239
#16 0x00007f530276de25 in start_thread () from /lib64/libpthread.so.0
#17 0x00007f5301b13bad in clone () from /lib64/libc.so.6
(gdb) frame 2
#2 0x00007f52ff2d4d50 in ast_srtp_unprotect (srtp=0x7f5140026f60, buf=0x7f528c037490, len=0x7f51bf1580f4, rtcp=1) at res_srtp.c:346
346 res_srtp.c: No such file or directory.
(gdb) p *len
$1 = 0

I also tried to recreate this by deliberately changing the len in ast_srtp_unprotect to 0 and the issue is getting recreated with the same backtrace. (when using libsrtp-1.4.4)

The question is that is it okay for Asterisk to pass the len parameter as 0 to the underlying library (libsrtp) or should this be taken care of in the Asterisk itself.

One solution is that if I upgrade the libsrtp library to version libsrtp-1.5.4 then the issue does not occur because libsrtp code is checking the len variable beforehand.

But If I have to prevent this from happening what can I do in Asterisk without adversely harming any other functionality for example can I return -1 whenever I encounter the len as 0.

Other crashes may occur from older versions of libsrtp, so it would be a good idea to upgrade to a supported version.

You would likely want to return a value that gracefully allows the code to move on successfully.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.