osmo-mgw leaks host data when forwarding RTP packets
I was testing the new osmo-mgw+osmo-bsc from today's master (54dd4b3f72d90dfbed19ffa7b1e98112add067a6). I can place the call (from msA->msB, the other way it didn't work due to some sccp paging bug according to dexter), but no audio is heard.
Looking at the pcap traces with dexter, everything is fine, all the endpoints and connections are created and handled correctly, and RTP from msA reaches msB and the opposite too. However, no audio can be heard during the call.
It seems the RTP packets going osmo-bts=>osmo-mgw are 87 bytes long, which seems fine, but once they leave the osmo-mgw => osmo-mgcp, then size explodes to 4138 bytes, and the packet contains the initial data + random memory, which in my case contains filesystem paths from my workstation.
So, conclusion, there seems to be some reading out of buffer bounds in the code path in osmo-mgw which receives RTP packets and forwards it. I attach a sample pcap file showing the issue.
#3 Updated by dexter about 2 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 100
The excess data we see in the trace is data from the stack from previous memory usage, its not overflowing anything, but it uses sizeof(buf) as length for the packet that is sent. I have corrected this now.
The patch is up for review: https://gerrit.osmocom.org/4741