Bug #2625
closedosmo-mgw leaks host data when forwarding RTP packets
100%
Description
I was testing the new osmo-mgw+osmo-bsc from today's master (54dd4b3f72d90dfbed19ffa7b1e98112add067a6). I can place the call (from msA->msB, the other way it didn't work due to some sccp paging bug according to dexter), but no audio is heard.
Looking at the pcap traces with dexter, everything is fine, all the endpoints and connections are created and handled correctly, and RTP from msA reaches msB and the opposite too. However, no audio can be heard during the call.
It seems the RTP packets going osmo-bts=>osmo-mgw are 87 bytes long, which seems fine, but once they leave the osmo-mgw => osmo-mgcp, then size explodes to 4138 bytes, and the packet contains the initial data + random memory, which in my case contains filesystem paths from my workstation.
So, conclusion, there seems to be some reading out of buffer bounds in the code path in osmo-mgw which receives RTP packets and forwards it. I attach a sample pcap file showing the issue.
Files
Related issues