summaryrefslogtreecommitdiffstats
path: root/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch')
-rw-r--r--meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch52
1 files changed, 0 insertions, 52 deletions
diff --git a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch b/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
deleted file mode 100644
index d5f33dc42e..0000000000
--- a/meta/recipes-multimedia/pulseaudio/pulseaudio/CVE-2014-3970.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-Upstream-Status: Backport
-
-commit 26b9d22dd24c17eb118d0205bf7b02b75d435e3c upstream
-
-rtp-recv: fix crash on empty UDP packets (CVE-2014-3970)
-
-On FIONREAD returning 0 bytes, we cannot return success, as the caller
-(rtpoll_work_cb in module-rtp-recv.c) would then try to
-pa_memblock_unref(chunk.memblock) and, because memblock is NULL, trigger
-an assertion.
-
-Also we have to read out the possible empty packet from the socket, so
-that the kernel doesn't tell us again and again about it.
-
-Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
-
-diff --git a/src/modules/rtp/rtp.c b/src/modules/rtp/rtp.c
-index 9195493..c45981e 100644
---- a/src/modules/rtp/rtp.c
-+++ b/src/modules/rtp/rtp.c
-@@ -182,8 +182,29 @@ int pa_rtp_recv(pa_rtp_context *c, pa_memchunk *chunk, pa_mempool *pool, struct
- goto fail;
- }
-
-- if (size <= 0)
-- return 0;
-+ if (size <= 0) {
-+ /* size can be 0 due to any of the following reasons:
-+ *
-+ * 1. Somebody sent us a perfectly valid zero-length UDP packet.
-+ * 2. Somebody sent us a UDP packet with a bad CRC.
-+ *
-+ * It is unknown whether size can actually be less than zero.
-+ *
-+ * In the first case, the packet has to be read out, otherwise the
-+ * kernel will tell us again and again about it, thus preventing
-+ * reception of any further packets. So let's just read it out
-+ * now and discard it later, when comparing the number of bytes
-+ * received (0) with the number of bytes wanted (1, see below).
-+ *
-+ * In the second case, recvmsg() will fail, thus allowing us to
-+ * return the error.
-+ *
-+ * Just to avoid passing zero-sized memchunks and NULL pointers to
-+ * recvmsg(), let's force allocation of at least one byte by setting
-+ * size to 1.
-+ */
-+ size = 1;
-+ }
-
- if (c->memchunk.length < (unsigned) size) {
- size_t l;
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-04 00:43:59 +0000