RTP_EncDec: avoid crashes caused by invalid RTP packets

The function f__RTP__dec accepts data (RTP packet) of arbitrary length, but it also accesses regions of the RTP header using fixed indexes. In case the RTP packet is shorter than those indexes, a segmentation failt occurs. This can be avoided by checking if the incoming RTP packet has at least a minimum size of 12 bytes. In this case we would return an empty ret_val.

Thanks for the fix. However, I don't think you should be changing the copyright date of ericsson.

added 1 commit

• d592b0ac - Update RTP_EncDec.cc

Compare with previous version

Thanks, that slipped through. I have now fixed it. Unfortunately I could not push the fixed commit, so I edited the change in the web UI. The changes are still separate, but I have checked the "Squash commits when merge request is accepted checkbox.". That is also what the manual recommends: https://docs.gitlab.com/ee/user/project/merge_requests/squash_and_merge.html

Returning an unbound value is dangerous. Please modify the RTP_messages_union like:

type union RTP_messages_union{
  PDU_RTCP              rtcp,
  PDU_RTP               rtp,
  octetsring            unknown_pdu
}

and

ret_val.unknown__pdu()=data;
return ret_val;

added 1 commit

• 21e7be6b - Update RTP_EncDec.cc and RTP_Types.ttcn

Compare with previous version

Hello @gszalai,

Thanks for your input. I have now added an unknown_pdu member to RTP_messages_union. I have also tried the patch in my environment to make sure everything works as expected.

best regards, Philipp

merged