diff options
Diffstat (limited to 'meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch')
-rw-r--r-- | meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch deleted file mode 100644 index d5f33dc42e..0000000000 --- a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | Upstream-Status: Backport | ||
2 | |||
3 | commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream | ||
4 | |||
5 | rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) | ||
6 | |||
7 | On FIONREAD returning 0 bytes, we cannot return success, as the caller | ||
8 | (rtpoll_work_cb in module-rtp-recv.c) would then try to | ||
9 | pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger | ||
10 | an assertion. | ||
11 | |||
12 | Also we have to read out the possible empty packet from the socket, so | ||
13 | that the kernel doesn't tell us again and again about it. | ||
14 | |||
15 | Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com> | ||
16 | |||
17 | diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c | ||
18 | index 9195493..c45981e 100644 | ||
19 | --- a/src/modules/rtp/rtp.c | ||
20 | +++ b/src/modules/rtp/rtp.c | ||
21 | @@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct | ||
22 | goto fail; | ||
23 | } | ||
24 | |||
25 | - if (size <= 0) | ||
26 | - return 0; | ||
27 | + if (size <= 0) { | ||
28 | + /* size can be 0 due to any of the following reasons: | ||
29 | + * | ||
30 | + * 1. Somebody sent us a perfectly valid zero-length UDP packet. | ||
31 | + * 2. Somebody sent us a UDP packet with a bad CRC. | ||
32 | + * | ||
33 | + * It is unknown whether size can actually be less than zero. | ||
34 | + * | ||
35 | + * In the first case, the packet has to be read out, otherwise the | ||
36 | + * kernel will tell us again and again about it, thus preventing | ||
37 | + * reception of any further packets. So let's just read it out | ||
38 | + * now and discard it later, when comparing the number of bytes | ||
39 | + * received (0) with the number of bytes wanted (1, see below). | ||
40 | + * | ||
41 | + * In the second case, recvmsg() will fail, thus allowing us to | ||
42 | + * return the error. | ||
43 | + * | ||
44 | + * Just to avoid passing zero-sized memchunks and NULL pointers to | ||
45 | + * recvmsg(), let's force allocation of at least one byte by setting | ||
46 | + * size to 1. | ||
47 | + */ | ||
48 | + size = 1; | ||
49 | + } | ||
50 | |||
51 | if (c->memchunk.length < (unsigned) size) { | ||
52 | size_t l; | ||