Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 04 Jun 2014 14:40:02 +0600
From: "Alexander E. Patrakov" <>
Subject: CVE request: PulseAudio crash due to empty UDP packet


If one has module-rtp-recv loaded into PulseAudio, then a remote 
attacker can crash this instance of PulseAudio by sending an empty UDP 
packet to the multicast address where module-rtp-recv has decided to 
receive the stream due to a previous SAP/SDP announcement.

When PulseAudio crashes, it says to the log:

E: [alsa-sink-ALC275 Analog] memblock.c: Assertion 'b' failed at 
.../pulseaudio-5.0/src/pulsecore/memblock.c:596, function 
pa_memblock_unref(). Aborting.

So this doesn't look exploitable - just a DoS attack, and PulseAudio 
usually gets respawned anyway.

The problem has been reported upstream, but got no response yet:

The problematic code is in the pa_rtp_recv() function, in the handling 
of the result of the FIONREAD ioctl. It existed since the introduction 
of the module, i.e. since 2006-04-16 (git commit f1ddf0523), which is 
before version 1.0.

The problem I found is that the function just returns immediately, 
without even attempting to read the zero-sized packet. I don't know how 
this later leads to the failed assertion.

A patch has been sent, but not reviewed and thus not accepted, and thus 
the problem still exists in git master:

I have also tested SAP/SDP handling for the same type of vulnerability, 
but PulseAudio survived an empty UDP packet there just fine.

Alexander E. Patrakov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ