laforge has submitted this change. (
https://gerrit.osmocom.org/c/libosmo-abis/+/39626?usp=email )
Change subject: rtp2trau HR to DL: validate ToC octet of RFC 5993
......................................................................
rtp2trau HR to DL: validate ToC octet of RFC 5993
This validation serves two purposes:
* Payloads that just happen to be 15 bytes long but aren't valid
RFC 5993 should be rejected;
* Super-5993 extensions of TW-TS-002 are valid only in UL, not in DL
- catch and block them.
Change-Id: Ibbaa1e1e12254eaf75a999dd1b58e2145eff158c
---
M src/trau/trau_rtp_conv.c
1 file changed, 26 insertions(+), 1 deletion(-)
Approvals:
laforge: Looks good to me, but someone else must approve
pespin: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/trau/trau_rtp_conv.c b/src/trau/trau_rtp_conv.c
index d795947..8307112 100644
--- a/src/trau/trau_rtp_conv.c
+++ b/src/trau/trau_rtp_conv.c
@@ -660,6 +660,27 @@
case GSM_HR_BYTES:
break;
case GSM_HR_BYTES_RTP_RFC5993:
+ /* Require RFC 5993 valid frame, i.e., no BFIs etc.
+ * The ToC octet which we need to check has this format:
+ *
+ * +----+----+----+----+----+----+----+----+
+ * |0x80| 0x70 |0x08|0x04|0x02|0x01| hex mask
+ * +----+----+----+----+----+----+----+----+
+ * | F | FT | R | R | R | R | meaning
+ * +----+----+----+----+----+----+----+----+
+ * (RFC 5993 Figure 3, converted from big-endian bit numbers
+ * to hex masks)
+ *
+ * We would like to enforce this condition:
+ *
+ * (F==0 && (FT==0 || FT==2))
+ *
+ * Masking with 0xD0 is the most efficient way to perform
+ * the desired check: we accept either 0x00 or 0x20 in the
+ * upper nibble, and anything in the lower nibble.
+ */
+ if (data[0] & 0xD0)
+ return -EINVAL;
data++;
data_len--;
break;
@@ -815,6 +836,10 @@
case GSM_HR_BYTES:
break;
case GSM_HR_BYTES_RTP_RFC5993:
+ /* Require RFC 5993 valid frame, i.e., no BFIs etc.
+ * See rtp2trau_hr16() above for explanation. */
+ if (data[0] & 0xD0)
+ return -EINVAL;
data++;
data_len--;
break;
@@ -1688,7 +1713,7 @@
* defined in ETSI TS 101 318 for FR, HR and EFR; the ones for FR and EFR
* are also duplicated in RFC 3551. In the case of HR codec, RFC 5993 input
* is also appropriate as specified in 3GPP TS 48.103 - as long as the user
- * remembers that the extra header octet is ignored.
+ * remembers that the extra header octet is ignored beyond validation check.
*
* - The only correct way to implement TrFO for GSM, accepting FR/HR/EFR from
* call leg A uplink in TW-TS-001 or TW-TS-002 format and generating TRAU-DL
--
To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/39626?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: libosmo-abis
Gerrit-Branch: master
Gerrit-Change-Id: Ibbaa1e1e12254eaf75a999dd1b58e2145eff158c
Gerrit-Change-Number: 39626
Gerrit-PatchSet: 4
Gerrit-Owner: falconia <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
