./0000775000175000017500000000000012511411357011435 5ustar nielsenrnielsenr./CVE-2014-3970.patch0000664000175000017500000000366112511411357014065 0ustar nielsenrnielsenrUpstream-Status: Backport commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream rtp-recv: fix crash on empty UDP packets (CVE-2014-3970) On FIONREAD returning 0 bytes, we cannot return success, as the caller (rtpoll_work_cb in module-rtp-recv.c) would then try to pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger an assertion. Also we have to read out the possible empty packet from the socket, so that the kernel doesn't tell us again and again about it. Signed-off-by: Alexander E. Patrakov diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c index 9195493..c45981e 100644 --- a/src/modules/rtp/rtp.c +++ b/src/modules/rtp/rtp.c @@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct goto fail; } - if (size <= 0) - return 0; + if (size <= 0) { + /* size can be 0 due to any of the following reasons: + * + * 1. Somebody sent us a perfectly valid zero-length UDP packet. + * 2. Somebody sent us a UDP packet with a bad CRC. + * + * It is unknown whether size can actually be less than zero. + * + * In the first case, the packet has to be read out, otherwise the + * kernel will tell us again and again about it, thus preventing + * reception of any further packets. So let's just read it out + * now and discard it later, when comparing the number of bytes + * received (0) with the number of bytes wanted (1, see below). + * + * In the second case, recvmsg() will fail, thus allowing us to + * return the error. + * + * Just to avoid passing zero-sized memchunks and NULL pointers to + * recvmsg(), let's force allocation of at least one byte by setting + * size to 1. + */ + size = 1; + } if (c->memchunk.length < (unsigned) size) { size_t l; ./0001-configure.ac-Check-only-for-libsystemd-not-libsystem.patch0000664000175000017500000000206512511411357025144 0ustar nielsenrnielsenrFrom 002b16f0f2176b4c685e210e335bf69c02563ede Mon Sep 17 00:00:00 2001 From: Martin Jansa Date: Sat, 22 Feb 2014 18:03:10 +0100 Subject: [PATCH] configure.ac: Check only for libsystemd not libsystemd-login * they were merged into libsystemd in systemd-209 Upstream-Status: Pending (it would need to be conditional on systemd version for upstream to accept this) Signed-off-by: Martin Jansa --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 388fae2..fff7a83 100644 --- a/configure.ac +++ b/configure.ac @@ -1160,7 +1160,7 @@ AC_ARG_ENABLE([systemd], AS_HELP_STRING([--disable-systemd],[Disable optional systemd support])) AS_IF([test "x$enable_systemd" != "xno"], - [PKG_CHECK_MODULES(SYSTEMD, [ libsystemd-login ], HAVE_SYSTEMD=1, HAVE_SYSTEMD=0)], + [PKG_CHECK_MODULES(SYSTEMD, [ libsystemd ], HAVE_SYSTEMD=1, HAVE_SYSTEMD=0)], HAVE_SYSTEMD=0) AS_IF([test "x$enable_systemd" = "xyes" && test "x$HAVE_SYSTEMD" = "x0"], -- 1.8.5.3 ./volatiles.04_pulse0000664000175000017500000000013312511411357015011 0ustar nielsenrnielsenr# d pulse pulse 0755 /var/run/pulse none