CVE request: PulseAudio crash due to empty UDP packet

["Alexander E. Patrakov" <patrakov () gmail com>]

Hello.

If one has module-rtp-recv loaded into PulseAudio, then a remote 
attacker can crash this instance of PulseAudio by sending an empty UDP 
packet to the multicast address where module-rtp-recv has decided to 
receive the stream due to a previous SAP/SDP announcement.

When PulseAudio crashes, it says to the log:

E: [alsa-sink-ALC275 Analog] memblock.c: Assertion 'b' failed at 
.../pulseaudio-5.0/src/pulsecore/memblock.c:596, function 
pa_memblock_unref(). Aborting.

So this doesn't look exploitable - just a DoS attack, and PulseAudio 
usually gets respawned anyway.

The problem has been reported upstream, but got no response yet:

http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020740.html

The problematic code is in the pa_rtp_recv() function, in the handling 
of the result of the FIONREAD ioctl. It existed since the introduction 
of the module, i.e. since 2006-04-16 (git commit f1ddf0523), which is 
before version 1.0.

The problem I found is that the function just returns immediately, 
without even attempting to read the zero-sized packet. I don't know how 
this later leads to the failed assertion.

http://cgit.freedesktop.org/pulseaudio/pulseaudio/tree/src/modules/rtp/rtp.c#n185

A patch has been sent, but not reviewed and thus not accepted, and thus 
the problem still exists in git master:

http://lists.freedesktop.org/archives/pulseaudio-discuss/2014-May/020741.html

I have also tested SAP/SDP handling for the same type of vulnerability, 
but PulseAudio survived an empty UDP packet there just fine.

--
Alexander E. Patrakov