Google Git
Sign in
webrtc / src / 042bb0083898cd07920228d05e437f859becdcd4^! / .
commit042bb0083898cd07920228d05e437f859becdcd4[log] [tgz]
authorPiotr (Peter) Slatala <psla@webrtc.org>Wed Jan 30 22:57:12 2019
committerCommit Bot <commit-bot@chromium.org>Thu Jan 31 03:00:58 2019
tree940ad972d03a4307384403e821f198792d058370
parent287298159ffad6f892da5b3e57b4aa683d0a4c97 [diff]
Fix RTP transport accepting invalid RTCP headers.

Currently, the RtpTransport checks that the packet is either RTP or
RTCP. However, the RTCP check does not verify that the packet is a valid RTP,
and therefore invalid RTCP packets were allowed in the RtpTransport::OnReadPacket.

This change makes sure that the test for RTCP header (IsRtcpPacket) checks that it has the valid RTP version (2).

So far if the packet had the second byte that looked like
RTCP, it would ignore the first byte.


Bug: None
Change-Id: I5d07d497b9ef609c74b6e507c5f3e19e4bf10194
Reviewed-on: https://webrtc-review.googlesource.com/c/120646
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Reviewed-by: Bjorn Mellem <mellem@webrtc.org>
Reviewed-by: Seth Hampson <shampson@webrtc.org>
Commit-Queue: Peter Slatala <psla@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#26480}
diff --git a/media/base/rtp_utils.cc b/media/base/rtp_utils.cc
index b162fe5..57e719b 100644
--- a/media/base/rtp_utils.cc
+++ b/media/base/rtp_utils.cc

@@ -287,9 +287,15 @@
 // Check the RTP payload type. If 63 < payload type < 96, it's RTCP.
 // For additional details, see http://tools.ietf.org/html/rfc5761.
 bool IsRtcpPacket(const char* data, size_t len) {
-  if (len < 2) {
+  if (len < kMinRtcpPacketLen) {
     return false;
   }
+
+  // RTCP must be a valid RTP packet.
+  if ((static_cast<uint8_t>(data[0]) >> 6) != kRtpVersion) {
+    return false;
+  }
+
   char pt = data[1] & 0x7F;
   return (63 < pt) && (pt < 96);
 }

diff --git a/pc/rtp_transport_unittest.cc b/pc/rtp_transport_unittest.cc
index f3b2bb6..1079ab4 100644
--- a/pc/rtp_transport_unittest.cc
+++ b/pc/rtp_transport_unittest.cc

@@ -293,11 +293,11 @@
   TransportObserver observer(&transport);
 
   // An rtcp packet.
-  const char data[] = {0, 73, 0, 0};
+  const unsigned char data[] = {0x80, 73, 0, 0};
   const int len = 4;
   const rtc::PacketOptions options;
   const int flags = 0;
-  fake_rtp.SendPacket(data, len, options, flags);
+  fake_rtp.SendPacket(reinterpret_cast<const char*>(data), len, options, flags);
   EXPECT_EQ(0, observer.rtp_count());
   EXPECT_EQ(1, observer.rtcp_count());
 }