summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch52
-rw-r--r--meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb4
2 files changed, 55 insertions, 1 deletions
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
new file mode 100644
index 0000000000..d5f33dc42e
--- /dev/null
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
@@ -0,0 +1,52 @@
1Upstream-Status: Backport
2
3commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream
4
5rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
6
7On FIONREAD returning 0 bytes, we cannot return success, as the caller
8(rtpoll_work_cb in module-rtp-recv.c) would then try to
9pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
10an assertion.
11
12Also we have to read out the possible empty packet from the socket, so
13that the kernel doesn't tell us again and again about it.
14
15Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
16
17diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
18index 9195493..c45981e 100644
19--- a/src/modules/rtp/rtp.c
20+++ b/src/modules/rtp/rtp.c
21@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
22 goto fail;
23 }
24
25- if (size <= 0)
26- return 0;
27+ if (size <= 0) {
28+ /* size can be 0 due to any of the following reasons:
29+ *
30+ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
31+ * 2. Somebody sent us a UDP packet with a bad CRC.
32+ *
33+ * It is unknown whether size can actually be less than zero.
34+ *
35+ * In the first case, the packet has to be read out, otherwise the
36+ * kernel will tell us again and again about it, thus preventing
37+ * reception of any further packets. So let's just read it out
38+ * now and discard it later, when comparing the number of bytes
39+ * received (0) with the number of bytes wanted (1, see below).
40+ *
41+ * In the second case, recvmsg() will fail, thus allowing us to
42+ * return the error.
43+ *
44+ * Just to avoid passing zero-sized memchunks and NULL pointers to
45+ * recvmsg(), let's force allocation of at least one byte by setting
46+ * size to 1.
47+ */
48+ size = 1;
49+ }
50
51 if (c->memchunk.length < (unsigned) size) {
52 size_t l;
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
index 8d8c421179..99f0ef3a46 100644
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
+++ b/meta/recipes-multimedia/pulseaudio/pulseaudio_5.0.bb
@@ -2,7 +2,9 @@ require pulseaudio.inc
2 2
3SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \ 3SRC_URI = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${PV}.tar.xz \
4 file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \ 4 file://0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch \
5 file://volatiles.04_pulse" 5 file://volatiles.04_pulse \
6 file://CVE-2014-3970.patch \
7"
6SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e" 8SRC_URI[md5sum] = "c43749838612f4860465e83ed62ca38e"
7SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939" 9SRC_URI[sha256sum] = "99c13a8b1249ddbd724f195579df79484e9af6418cecf6a15f003a7f36caf939"
8 10