aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2014-10-24 03:39:34 -0400
committerMark H Weaver <mhw@netris.org>2014-10-26 02:55:38 -0400
commit1d1efa6c6a4911ac20e1e3c4fdf0ecb2afb6f54a (patch)
tree5436e00d23572a36b3650ce809aa12c8b9ac6ffd /gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
parent16755848fc7f446ba4572d3c36c9b1d50410e927 (diff)
downloadguix-1d1efa6c6a4911ac20e1e3c4fdf0ecb2afb6f54a.tar
guix-1d1efa6c6a4911ac20e1e3c4fdf0ecb2afb6f54a.tar.gz
gnu: pulseaudio: Fix CVE-2014-3970 and intermittent test failures.
* gnu/packages/patches/pulseaudio-CVE-2014-397.patch: New file. * gnu/packages/patches/pulseaudio-fix-mult-test.patch: New file. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/pulseaudio.scm (pulseaudio): Add patches.
Diffstat (limited to 'gnu/packages/patches/pulseaudio-CVE-2014-3970.patch')
-rw-r--r--gnu/packages/patches/pulseaudio-CVE-2014-3970.patch57
1 files changed, 57 insertions, 0 deletions
diff --git a/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch b/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
new file mode 100644
index 0000000000..073e663112
--- /dev/null
+++ b/gnu/packages/patches/pulseaudio-CVE-2014-3970.patch
@@ -0,0 +1,57 @@
+From 26b9d22dd24c17eb118d0205bf7b02b75d435e3c Mon Sep 17 00:00:00 2001
+From: "Alexander E. Patrakov" <patrakov@gmail.com>
+Date: Thu, 5 Jun 2014 22:29:25 +0600
+Subject: [PATCH] rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
+
+On FIONREAD returning 0 bytes, we cannot return success, as the caller
+(rtpoll_work_cb in module-rtp-recv.c) would then try to
+pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
+an assertion.
+
+Also we have to read out the possible empty packet from the socket, so
+that the kernel doesn't tell us again and again about it.
+
+Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
+---
+ src/modules/rtp/rtp.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
+index 570737e..7b75e0e 100644
+--- a/src/modules/rtp/rtp.c
++++ b/src/modules/rtp/rtp.c
+@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
+ goto fail;
+ }
+
+- if (size <= 0)
+- return 0;
++ if (size <= 0) {
++ /* size can be 0 due to any of the following reasons:
++ *
++ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
++ * 2. Somebody sent us a UDP packet with a bad CRC.
++ *
++ * It is unknown whether size can actually be less than zero.
++ *
++ * In the first case, the packet has to be read out, otherwise the
++ * kernel will tell us again and again about it, thus preventing
++ * reception of any further packets. So let's just read it out
++ * now and discard it later, when comparing the number of bytes
++ * received (0) with the number of bytes wanted (1, see below).
++ *
++ * In the second case, recvmsg() will fail, thus allowing us to
++ * return the error.
++ *
++ * Just to avoid passing zero-sized memchunks and NULL pointers to
++ * recvmsg(), let's force allocation of at least one byte by setting
++ * size to 1.
++ */
++ size = 1;
++ }
+
+ if (c->memchunk.length < (unsigned) size) {
+ size_t l;
+--
+2.0.0
+