[S] Change in libosmo-abis[master]: rtp2trau HR to DL: validate ToC octet of RFC 5993 - gerrit-log

3 Mar 2025

laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/39626?usp=email )
Change subject: rtp2trau HR to DL: validate ToC octet of RFC 5993
......................................................................
rtp2trau HR to DL: validate ToC octet of RFC 5993
This validation serves two purposes:
* Payloads that just happen to be 15 bytes long but aren't valid
  RFC 5993 should be rejected;
* Super-5993 extensions of TW-TS-002 are valid only in UL, not in DL
  - catch and block them.
Change-Id: Ibbaa1e1e12254eaf75a999dd1b58e2145eff158c
---
M src/trau/trau_rtp_conv.c
1 file changed, 26 insertions(+), 1 deletion(-)
Approvals:
  laforge: Looks good to me, but someone else must approve
  pespin: Looks good to me, approved
  Jenkins Builder: Verified

diff --git a/src/trau/trau_rtp_conv.c b/src/trau/trau_rtp_conv.c
index d795947..8307112 100644
--- a/src/trau/trau_rtp_conv.c
+++ b/src/trau/trau_rtp_conv.c
@@ -660,6 +660,27 @@
    case GSM_HR_BYTES:
    	break;
    case GSM_HR_BYTES_RTP_RFC5993:
+		/* Require RFC 5993 valid frame, i.e., no BFIs etc.
+		 * The ToC octet which we need to check has this format:
+		 *
+		 * +----+----+----+----+----+----+----+----+
+		 * |0x80|     0x70     |0x08|0x04|0x02|0x01| hex mask
+		 * +----+----+----+----+----+----+----+----+
+		 * | F  |      FT      | R  | R  | R  | R  | meaning
+		 * +----+----+----+----+----+----+----+----+
+		 * (RFC 5993 Figure 3, converted from big-endian bit numbers
+		 *  to hex masks)
+		 *
+		 * We would like to enforce this condition:
+		 *
+		 * (F==0 && (FT==0 || FT==2))
+		 *
+		 * Masking with 0xD0 is the most efficient way to perform
+		 * the desired check: we accept either 0x00 or 0x20 in the
+		 * upper nibble, and anything in the lower nibble.
+		 */
+		if (data[0] & 0xD0)
+			return -EINVAL;
    	data++;
    	data_len--;
    	break;
@@ -815,6 +836,10 @@
    case GSM_HR_BYTES:
    	break;
    case GSM_HR_BYTES_RTP_RFC5993:
+		/* Require RFC 5993 valid frame, i.e., no BFIs etc.
+		 * See rtp2trau_hr16() above for explanation. */
+		if (data[0] & 0xD0)
+			return -EINVAL;
    	data++;
    	data_len--;
    	break;
@@ -1688,7 +1713,7 @@
  *   defined in ETSI TS 101 318 for FR, HR and EFR; the ones for FR and EFR
  *   are also duplicated in RFC 3551.  In the case of HR codec, RFC 5993 input
  *   is also appropriate as specified in 3GPP TS 48.103 - as long as the user
- *   remembers that the extra header octet is ignored.
+ *   remembers that the extra header octet is ignored beyond validation check.
  *
  * - The only correct way to implement TrFO for GSM, accepting FR/HR/EFR from
  *   call leg A uplink in TW-TS-001 or TW-TS-002 format and generating TRAU-DL
-- 
To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39626?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: libosmo-abis
Gerrit-Branch: master
Gerrit-Change-Id: Ibbaa1e1e12254eaf75a999dd1b58e2145eff158c
Gerrit-Change-Number: 39626
Gerrit-PatchSet: 4
Gerrit-Owner: falconia falcon@freecalypso.org
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge laforge@osmocom.org
Gerrit-Reviewer: pespin pespin@sysmocom.de



    