Commit Graph

7151 Commits

Author SHA1 Message Date
jfigus b9da5149e2 Set the algorithm member on cipher_t when allocating AES crypto instance. Apply same fix to NULL cipher. 2014-06-30 19:18:20 +00:00
Travis Cross aa4261d11f Avoid buffer-overflow on short RTCP/SRTCP packets
In `srtp_unprotect_rtcp()` we are not validating that the packet
length is as long as the minimum required.  This would cause
`enc_octet_len` to underflow, which would cause us to try to decrypt
data past the end of the packet in memory -- a buffer over-read and
buffer overflow.

In `srtp_protect_rtcp()`, we were similarly not validating the packet
length.  Here we were also polluting the address of the SRTCP
encrypted flag and index (the `trailer`), causing us to write one word
to a bogus memory address before getting to the encryption where we
would also overflow.

In this commit we add checks to appropriately validate the RTCP/SRTCP
packet lengths.

`srtp_unprotect_rtcp_aead()` (but not protect) did correctly validate
the packet length; this check would now be redundant as the check in
`srtcp_unprotect_rtcp()` will also run first, so it has been removed.
2014-06-30 19:00:35 +00:00
Travis Cross 9ea93c4c50 Avoid buffer over-read on null cipher AEAD
In the defined AEAD modes, SRTP packets must always be encrypted and
authenticated, but SRTCP packets may be only authenticated.  It's
possible, therefore, for us to end up in `srtp_protect_aead()` without
the `sec_serv_conf` bit being set.  We should just ignore this and
encrypt the RTP packet anyway.

What we are doing instead is encrypting the packet anyway, but setting
`enc_start` to NULL first.  This causes `aad_len` to underflow which
will cause us to over-read in `cipher_set_aad()`.

If we could get past that, we would try to read and write memory
starting at 0x0 down in `cipher_encrypt()`.

This commit causes us to not check the `sec_serv_conf` bit and never
set `enc_start` to NULL in `srtp_protect_aead()`.

`srtp_unprotect_aead()` does not contain a similar error.
2014-06-30 19:00:35 +00:00
Travis Cross 3bf2b9af75 Prevent buffer overflow from untrusted RTP/SRTP lengths
When computing the start address of the RTP data to encrypt or SRTP
data to decrypt (`enc_start`), we are using `hdr->cc` (the CSRC
count), which is untrusted data from the packet, and the length field
of an RTP header extension, which is also untrusted and unchecked data
from the packet.

This value then pollutes our calculation of how much data we'll be
encrypting or decrypting (`enc_octet_len`), possibly causing us to
underflow.

We'll then call `cipher_encrypt()` or `cipher_decrypt()` with these
two values, causing us to read from and write to arbitrary addresses
in memory.

(In the AEAD functions, we'd also pollute `aad_len`, which would cause
us to read undefined memory in `cipher_set_aad`.)

This commit adds checks to verify that the `enc_start` we calculate is
sane based on the actual packet length.
2014-06-30 19:00:35 +00:00
Travis Cross d2aaf15992 Fix misspelling in comment 2014-06-30 19:00:34 +00:00
Steve Underwood c3798dbb02 FAX tweaks 2014-06-29 02:11:25 +08:00
Steve Underwood ad1e7e9632 Fixed updating of the modem type after a FAX ECM CTC. 2014-06-28 16:43:05 +08:00
Steve Underwood 557f1d05ac Fixed issue handling modem renegotiation when a T.30 CTC message is received.
Please enter the commit message for your changes. Lines starting
2014-06-23 08:51:41 +08:00
Steve Underwood b15f373cd9 Tweaks 2014-06-20 02:58:33 +08:00
Steve Underwood b780371943 Improved TSB85 tests, which now check call clearing.
FAX now differentiates properly between <page result code> and <image> <page resuly code> when deciding how to retry.
2014-06-20 00:24:10 +08:00
Brian West d2a487dce3 date would have done the same thing 2014-06-18 08:58:49 -05:00
Brian West fb92ebc8f2 FS-5223 and FS-6603, don't trust docs... sheesh 2014-06-18 08:33:57 -05:00
Brian West 311889634b FS-5223 FS-6603 on platforms that have SO_REUSEPORT it also implies SO_REUSEADDR, On platforms that only have SO_REUSEADDR it seems to imply both in the absence of SO_REUSEPORT. 2014-06-17 21:15:02 -05:00
Michael Jerris 0a6a10f584 FS-6604: fix this same issue in esl too 2014-06-17 12:10:47 -05:00
Peter Olsson e7ee4050b2 Add ldns to .gitignore 2014-06-15 13:51:56 +02:00
Steve Underwood fc7a74905b Various little memory leak possibilities in spandsp sorts, and the spandsp
test suite is now mostly OK with valgrind.
2014-06-14 19:49:05 +08:00
Steve Underwood 94ab52cd01 Improved FAX disconnect handling 2014-06-11 10:52:54 +08:00
Steve Underwood 10647be5a0 Fixed incorrect T.30 CTC messages. Fixed reseting of the CRC generator
in the HDLC tx code
2014-06-11 01:49:29 +08:00
Anthony Minessale 0685027bd8 FS-6574 --resolve 2014-06-09 14:29:08 -04:00
Jeff Lenk a607c20a94 windows fix for a0e9ddf589 2014-06-08 16:06:32 -05:00
Anthony Minessale 36e72b86ca force spandsp rebuild 2014-06-05 22:07:08 +05:00
Travis Cross 31186d815b Improve a parameter name for fs_cli
What we momentarily called log-uuid-chars is now better called
log-uuid-length.  Setting log-uuid-length will specify a truncation
length for UUIDs displayed by setting log-uuid.
2014-06-04 16:07:10 +00:00
Steve Underwood 3549488e8e Fixed a problem in FAX where a received handshake, delayed so much it is
received as we queue a retry, causes the retry frame to remain queued in the
HDLC entity.
2014-06-04 23:54:03 +08:00
Travis Cross c015013e5f Add log-uuid-short option to fs_cli
If log-uuid-short is set, or -S is passed to fs_cli, we only display
the first 8 hex digits of the UUID.  The log-uuid-chars option may
instead be set to specify some other truncation length for the UUID.
2014-06-04 12:01:01 +00:00
Travis Cross a0e9ddf589 Convert esl_true and esl_false to functions
Prior to this commit, an expression such as:

  esl_true("true") ? 42 : 0

...would return 1 rather than 42.
2014-06-04 12:00:31 +00:00
William King 7ce2009fad Fix compiler warning about possibly uninitialized variable in libs/esl 2014-06-02 08:33:05 -07:00
Michael Jerris e992c4c4d8 CID:1216560 Unchecked return value from ioctl 2014-06-02 14:11:07 +00:00
Anthony Minessale dc671d9d82 fix name of fs_ivrd 2014-05-22 16:41:21 -04:00
Michael Jerris b5a223cd1b CID:1215201 Explicit null dereferenced 2014-05-22 15:39:59 +00:00
Travis Cross d0ce18885c Cleanup bad whitespace
Introduced in commit e6ac87f5f1.
2014-05-21 17:25:32 +00:00
Jeff Lenk e6ac87f5f1 fixes for VS2010 code analysis - hope these are OK else-ware 2014-05-20 22:54:32 -05:00
Jeff Lenk c7f2a19149 FS-6505 download custom ldns lib for windows for now 2014-05-20 17:07:52 -05:00
Anthony Minessale f0aa0fc1d8 seek chain cert from wss.pem just cat together the cert, the key and the chain cert into wss.pem 2014-05-20 23:18:38 +05:00
Michael Jerris 77bddb9f9c FS-6538: silence gcc 4.9 throwing incorrect warning 2014-05-20 15:46:46 +00:00
Anthony Minessale af6c4b00b7 force sofia rebuild 2014-05-20 20:29:17 +05:00
Michael Jerris f683ac2165 FS-6533: --resolve fix gcc 4.9 warning due to useless right-hand operand of comma expression 2014-05-19 10:36:02 -05:00
Michael Jerris 6b9024246f CID:1214189 Division or modulo by float zero 2014-05-16 14:54:54 +00:00
Moises Silva 2b93912ef2 freetdm: Fix raw GSM AT command execution not returning the proper token count 2014-05-11 03:22:27 -04:00
Moises Silva a82e7a7dd1 freetdm: Added gsm debug configuration parameter 2014-05-11 02:55:07 -04:00
Moises Silva b8a32ed0f3 freetdm: Fixes for GSM module 2014-05-10 02:57:17 -04:00
Michael Jerris a933882e7e its logically impossible for this to be null, we are looping through an array on the stack 2014-05-07 12:54:40 -04:00
Michael Jerris 84886942d2 don't leak body in recv error case 2014-05-07 12:50:53 -04:00
Michael Jerris 7011602550 no need to check if p is null, it can never be null 2014-05-07 12:37:36 -04:00
Steve Underwood 44252a5d69 Various small cleanups in spandsp 2014-05-07 13:11:53 +08:00
Anthony Minessale 88ce7dae1c minor tweak to make ws code work in blocking mode properly when used outside sofia 2014-05-07 06:13:27 +05:00
Steve Underwood 137fb49dc1 Initialise custom TIFF directory offsets, as some versions of libtiff seem
to only set the low 32 bits of the 64 bit offset if the file only contains
a 32 bit offset.
2014-05-07 03:07:07 +08:00
Steve Underwood 9464549eb6 Corrected data type for TIFF directory offsets 2014-05-07 02:28:27 +08:00
Michael Jerris d6fe10979d remove opezap from tree, it has been replaced by freetdm 2014-05-06 11:05:54 -04:00
Steve Underwood 68a3250a69 Missing data modems files. They are a work in progress at this time, so don't
expect any functionality.
2014-05-06 21:21:33 +08:00
Steve Underwood 29ea8e9979 Fixed some ARM embedded assembly language typos 2014-05-05 08:33:55 +08:00