Closed Bug 1325173 Opened 9 years ago Closed 9 years ago

RtpStreamId is truncated when read from RTP extension header

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla55

Tracking Flags:

Tracking

Status

firefox55

---

fixed

People

(Reporter: ng, Assigned: ng)

References

Details

Attachments

(1 file, 1 obsolete file)

Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. 9 years ago Nico Grunbaum [:ng, @chew:mozilla.org] 59 bytes, text/x-review-board-request	drno : review+	Details
Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. 9 years ago Nico Grunbaum [:ng, @chew:mozilla.org] 59 bytes, text/x-review-board-request	drno : review+	Details

Nico Grunbaum [:ng, @chew:mozilla.org]

Assignee

Description

•

9 years ago

When deserializing the RtpStreamId header extension the length field should be interpreted as (length of id)-1 as per rfc5285 section 4.2[0]. E.g. a header length value of 2 indicates the id is 3 bytes. It is currently interpreted as (length of id). Deserialization occurs in RtpHeaderParser::ParseOneByteExtensionHeader[1] [0] https://tools.ietf.org/html/rfc5285#section-4.2 [1] (revision permalink) https://dxr.mozilla.org/mozilla-central/rev/c36fbe84042debef0a5d58b7fc88185b401762ce/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc#493

Dan Minor [:dminor]

Updated

•

9 years ago

Rank: 25

Priority: -- → P2

Nico Grunbaum [:ng, @chew:mozilla.org]

Assignee

Updated

•

9 years ago

Assignee: nobody → na-g

Nico Grunbaum [:ng, @chew:mozilla.org]

Assignee

Comment 1

•

9 years ago

https://treeherder.mozilla.org/#/jobs?repo=try&revision=4a1e0fad1138

Comment hidden (mozreview-request)

Randell Jesup [:jesup] (needinfo me)

Comment 3

•

9 years ago

mozreview-review

Comment on attachment 8820860 [details] Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. https://reviewboard.mozilla.org/r/100250/#review100860 drive-by - I wrote this code Add a comment that length is L+1

Attachment #8820860 - Flags: review+

Randell Jesup [:jesup] (needinfo me)

Updated

•

9 years ago

Attachment #8820860 - Flags: review?(drno)

Nils Ohlmeier [:drno]

Comment 4

•

9 years ago

mozreview-review

Comment on attachment 8820860 [details] Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. https://reviewboard.mozilla.org/r/100250/#review100862 ::: media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc:501 (Diff revision 1) > - char* ptrRID = new char[len+1]; > - memcpy(ptrRID, ptr, len); > - ptrRID[len] = '\0'; > + char* ptrRID = new char[len + 2]; > + memcpy(ptrRID, ptr, len + 1); > + ptrRID[len + 1] = '\0'; I think we should have a length check here as well. The maximum size is already limited through the size of |len|. But if |len| happens to be zero this read one random byte from after the RTP header extension.

Attachment #8820860 - Flags: review+

Randell Jesup [:jesup] (needinfo me)

Comment 5

•

9 years ago

(In reply to Nils Ohlmeier [:drno] from comment #4) > I think we should have a length check here as well. The maximum size is > already limited through the size of |len|. But if |len| happens to be zero > this read one random byte from after the RTP header extension. If len=0 that means the RID is 1 byte. So it will allocate 2 bytes, copy one byte (correct), and add a null terminator. That's correct.

Nico Grunbaum [:ng, @chew:mozilla.org]

Assignee

Comment 6

•

9 years ago

mozreview-review-reply

Comment on attachment 8820860 [details] Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. https://reviewboard.mozilla.org/r/100250/#review100862 > I think we should have a length check here as well. The maximum size is already limited through the size of |len|. But if |len| happens to be zero this read one random byte from after the RTP header extension. A len of zero indicates that |RtpStreamId| is 1. All possible values over the range of the masked len are valid. I don't think a check is necessary.

Comment hidden (mozreview-request)

Iñaki Baz Castillo

Comment 9

•

9 years ago

I know this bug is about parsing RID header extension, but in Firefox stable (51.0.1 OSX) I'm experimenting a similar issue when parsing RID header extension in RTP packets generated by Firefox. The len field is 0 (so it means 1 according to the 4 bytes format) but data[0] is always '\0'.

Iñaki Baz Castillo

Comment 10

•

9 years ago

Sorry, forget my comment. There is a bug but it's different (I'll report it in a new issue).

Nils Ohlmeier [:drno]

Comment 11

•

9 years ago

Nico, do you remember why we haven't landed this yet?

Flags: needinfo?(na-g)

Nico Grunbaum [:ng, @chew:mozilla.org]

Assignee

Comment 12

•

9 years ago

Nils, I don't remember. If there is a reason I am sure we will remember shortly after it lands. I will rebase it, send it back through try, and land it Monday.

Flags: needinfo?(na-g)

Comment hidden (mozreview-request)

Nico Grunbaum [:ng, @chew:mozilla.org]

Assignee

Updated

•

9 years ago

Attachment #8820860 - Attachment is obsolete: true

Nils Ohlmeier [:drno]

Comment 14

•

9 years ago

mozreview-review

Comment on attachment 8843851 [details] Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. https://reviewboard.mozilla.org/r/117460/#review119298

Attachment #8843851 - Flags: review?(drno) → review+

Pulsebot

Comment 15

•

9 years ago

Pushed by na-g@nostrum.com: https://hg.mozilla.org/integration/autoland/rev/98a314e77d6c read full RtpStreamId when parsing RTP header extensions. r=drno

Carsten Book [:Tomcat]

Comment 16

•

9 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/98a314e77d6c

Status: NEW → RESOLVED

Closed: 9 years ago

status-firefox55: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla55

You need to log in before you can comment on or make changes to this bug.