[Asterisk-code-review] res rtp asterisk: Drop RTCP packets less than 2 words in le... (asterisk[15.0])

George Joseph asteriskteam at digium.com
Wed Sep 6 17:53:08 CDT 2017 

George Joseph has uploaded this change for review. ( https://gerrit.asterisk.org/6458


Change subject: res_rtp_asterisk:  Drop RTCP packets less than 2 words in length
......................................................................

res_rtp_asterisk:  Drop RTCP packets less than 2 words in length

And drop any where it's length field would put some or all of the
block past the end of the received buffer.

Change-Id: I67d89e3c27db83efa0e6b52734f73c88ac2939e2
---
M res/res_rtp_asterisk.c
1 file changed, 12 insertions(+), 7 deletions(-)



  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/58/6458/1

diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c
index 0d67f2b..43ec320 100644
--- a/res/res_rtp_asterisk.c
+++ b/res/res_rtp_asterisk.c
@@ -4784,6 +4784,11 @@
 
 	ast_debug(1, "Got RTCP report of %zu bytes\n", size);
 
+	if (packetwords < 2) {
+		ast_debug(1, "RTCP frame size (%d words) is shorter than 2 words\n", packetwords);
+		return f;
+	}
+
 	while (position < packetwords) {
 		int i, pt, rc;
 		unsigned int length;
@@ -4794,6 +4799,13 @@
 
 		i = position;
 		length = ntohl(rtcpheader[i]);
+		if ((i + (length & 0xffff)) > packetwords) {
+			if (rtpdebug) {
+				ast_debug(1, "RTCP Read too short\n");
+			}
+			return &ast_null_frame;
+		}
+
 		pt = (length & 0xff0000) >> 16;
 		rc = (length & 0x1f000000) >> 24;
 		length &= 0xffff;
@@ -4804,13 +4816,6 @@
 		}
 		rtcp_report->reception_report_count = rc;
 		rtcp_report->ssrc = ntohl(rtcpheader[i + 1]);
-
-		if ((i + length) > packetwords) {
-			if (rtpdebug) {
-				ast_debug(1, "RTCP Read too short\n");
-			}
-			return &ast_null_frame;
-		}
 
 		if (rtcp_debug_test_addr(addr)) {
 			ast_verbose("\n\nGot RTCP from %s\n",

-- 
To view, visit https://gerrit.asterisk.org/6458
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 15.0
Gerrit-MessageType: newchange
Gerrit-Change-Id: I67d89e3c27db83efa0e6b52734f73c88ac2939e2
Gerrit-Change-Number: 6458
Gerrit-PatchSet: 1
Gerrit-Owner: George Joseph <gjoseph at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20170906/0f25711a/attachment.html>

More information about the asterisk-code-review mailing list