kissbac
/
packages
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

pulseaudio: fix CVE-2014-3970 

Signed-off-by: Jiri Slachta <slachta@cesnet.cz>
Jiri Slachta 10 years ago
parent
1735f13d22
commit
32d28bb45c
2 changed files with 58 additions and 1 deletions
Split View Show Diff Stats
  1. 1
    1
      sound/pulseaudio/Makefile
  2. 57
    0
      sound/pulseaudio/patches/002-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-3970.patch

+ 1
- 1
sound/pulseaudio/Makefile View File 

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
9 9
10 10 
 PKG_NAME:=pulseaudio
11 11 
 PKG_VERSION:=5.0
12 
-PKG_RELEASE:=1
12 
+PKG_RELEASE:=2
13 13
14 14 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
15 15 
 PKG_SOURCE_URL:=http://freedesktop.org/software/pulseaudio/releases/

+ 57
- 0
sound/pulseaudio/patches/002-rtp-recv-fix-crash-on-empty-UDP-packets-CVE-2014-3970.patch View File 

@@ -0,0 +1,57 @@
1 
+From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
2 
+From: "Alexander E. Patrakov" <patrakov@gmail.com>
3 
+Date: Thu, 5 Jun 2014 22:29:25 +0600
4 
+Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
5 
+
6 
+On FIONREAD returning 0 bytes, we cannot return success, as the caller
7 
+(rtpoll_work_cb in module-rtp-recv.c) would then try to
8 
+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
9 
+an assertion.
10 
+
11 
+Also we have to read out the possible empty packet from the socket, so
12 
+that the kernel doesn't tell us again and again about it.
13 
+
14 
+Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
15 
+---
16 
+ src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
17 
+ 1 file changed, 23 insertions(+), 2 deletions(-)
18 
+
19 
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
20 
+index 570737e..7b75e0e 100644
21 
+--- a/src/modules/rtp/rtp.c
22 
++++ b/src/modules/rtp/rtp.c
23 
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
24 
+         goto fail;
25 
+     }
26 
+
27 
+-    if (size <= 0)
28 
+-        return 0;
29 
++    if (size <= 0) {
30 
++        /* size can be 0 due to any of the following reasons:
31 
++         *
32 
++         * 1. Somebody sent us a perfectly valid zero-length UDP packet.
33 
++         * 2. Somebody sent us a UDP packet with a bad CRC.
34 
++         *
35 
++         * It is unknown whether size can actually be less than zero.
36 
++         *
37 
++         * In the first case, the packet has to be read out, otherwise the
38 
++         * kernel will tell us again and again about it, thus preventing
39 
++         * reception of any further packets. So let's just read it out
40 
++         * now and discard it later, when comparing the number of bytes
41 
++         * received (0) with the number of bytes wanted (1, see below).
42 
++         *
43 
++         * In the second case, recvmsg() will fail, thus allowing us to
44 
++         * return the error.
45 
++         *
46 
++         * Just to avoid passing zero-sized memchunks and NULL pointers to
47 
++         * recvmsg(), let's force allocation of at least one byte by setting
48 
++         * size to 1.
49 
++         */
50 
++        size = 1;
51 
++    }
52 
+
53 
+     if (c->memchunk.length < (unsigned) size) {
54 
+         size_t l;
55 
+--
56 
+2.0.0
57 
+