laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/39626?usp=email ) Change subject: rtp2trau HR to DL: validate ToC octet of RFC 5993 ...................................................................... rtp2trau HR to DL: validate ToC octet of RFC 5993 This validation serves two purposes: * Payloads that just happen to be 15 bytes long but aren't valid RFC 5993 should be rejected; * Super-5993 extensions of TW-TS-002 are valid only in UL, not in DL - catch and block them. Change-Id: Ibbaa1e1e12254eaf75a999dd1b58e2145eff158c --- M src/trau/trau_rtp_conv.c 1 file changed, 26 insertions(+), 1 deletion(-) Approvals: laforge: Looks good to me, but someone else must approve pespin: Looks good to me, approved Jenkins Builder: Verified diff --git a/src/trau/trau_rtp_conv.c b/src/trau/trau_rtp_conv.c index d795947..8307112 100644 --- a/src/trau/trau_rtp_conv.c +++ b/src/trau/trau_rtp_conv.c @@ -660,6 +660,27 @@ case GSM_HR_BYTES: break; case GSM_HR_BYTES_RTP_RFC5993: + /* Require RFC 5993 valid frame, i.e., no BFIs etc. + * The ToC octet which we need to check has this format: + * + * +----+----+----+----+----+----+----+----+ + * |0x80| 0x70 |0x08|0x04|0x02|0x01| hex mask + * +----+----+----+----+----+----+----+----+ + * | F | FT | R | R | R | R | meaning + * +----+----+----+----+----+----+----+----+ + * (RFC 5993 Figure 3, converted from big-endian bit numbers + * to hex masks) + * + * We would like to enforce this condition: + * + * (F==0 && (FT==0 || FT==2)) + * + * Masking with 0xD0 is the most efficient way to perform + * the desired check: we accept either 0x00 or 0x20 in the + * upper nibble, and anything in the lower nibble. + */ + if (data[0] & 0xD0) + return -EINVAL; data++; data_len--; break; @@ -815,6 +836,10 @@ case GSM_HR_BYTES: break; case GSM_HR_BYTES_RTP_RFC5993: + /* Require RFC 5993 valid frame, i.e., no BFIs etc. + * See rtp2trau_hr16() above for explanation. */ + if (data[0] & 0xD0) + return -EINVAL; data++; data_len--; break; @@ -1688,7 +1713,7 @@ * defined in ETSI TS 101 318 for FR, HR and EFR; the ones for FR and EFR * are also duplicated in RFC 3551. In the case of HR codec, RFC 5993 input * is also appropriate as specified in 3GPP TS 48.103 - as long as the user - * remembers that the extra header octet is ignored. + * remembers that the extra header octet is ignored beyond validation check. * * - The only correct way to implement TrFO for GSM, accepting FR/HR/EFR from * call leg A uplink in TW-TS-001 or TW-TS-002 format and generating TRAU-DL -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39626?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: Ibbaa1e1e12254eaf75a999dd1b58e2145eff158c Gerrit-Change-Number: 39626 Gerrit-PatchSet: 4 Gerrit-Owner: falconia <falcon(a)freecalypso.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>