<p>George Joseph has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/6458">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">res_rtp_asterisk:  Drop RTCP packets less than 2 words in length<br><br>And drop any where it's length field would put some or all of the<br>block past the end of the received buffer.<br><br>Change-Id: I67d89e3c27db83efa0e6b52734f73c88ac2939e2<br>---<br>M res/res_rtp_asterisk.c<br>1 file changed, 12 insertions(+), 7 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/58/6458/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_rtp_asterisk.c b/res/res_rtp_asterisk.c<br>index 0d67f2b..43ec320 100644<br>--- a/res/res_rtp_asterisk.c<br>+++ b/res/res_rtp_asterisk.c<br>@@ -4784,6 +4784,11 @@<br> <br>   ast_debug(1, "Got RTCP report of %zu bytes\n", size);<br> <br>+   if (packetwords < 2) {<br>+            ast_debug(1, "RTCP frame size (%d words) is shorter than 2 words\n", packetwords);<br>+         return f;<br>+    }<br>+<br>  while (position < packetwords) {<br>           int i, pt, rc;<br>                unsigned int length;<br>@@ -4794,6 +4799,13 @@<br> <br>               i = position;<br>                 length = ntohl(rtcpheader[i]);<br>+               if ((i + (length & 0xffff)) > packetwords) {<br>+                  if (rtpdebug) {<br>+                              ast_debug(1, "RTCP Read too short\n");<br>+                     }<br>+                    return &ast_null_frame;<br>+          }<br>+<br>          pt = (length & 0xff0000) >> 16;<br>             rc = (length & 0x1f000000) >> 24;<br>           length &= 0xffff;<br>@@ -4804,13 +4816,6 @@<br>                 }<br>             rtcp_report->reception_report_count = rc;<br>          rtcp_report->ssrc = ntohl(rtcpheader[i + 1]);<br>-<br>-          if ((i + length) > packetwords) {<br>-                 if (rtpdebug) {<br>-                              ast_debug(1, "RTCP Read too short\n");<br>-                     }<br>-                    return &ast_null_frame;<br>-          }<br> <br>          if (rtcp_debug_test_addr(addr)) {<br>                     ast_verbose("\n\nGot RTCP from %s\n",<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/6458">change 6458</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/6458"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 15.0 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I67d89e3c27db83efa0e6b52734f73c88ac2939e2 </div>
<div style="display:none"> Gerrit-Change-Number: 6458 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: George Joseph <gjoseph@digium.com> </div>