Check packet length more strictly

pion · Aug 9, 2023 · 11575ef · 11575ef
1 parent 53779ad
commit 11575ef
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/errors.go b/errors.go
@@ -22,6 +22,7 @@ var (
 	errSDESMissingType          = errors.New("rtcp: sdes item missing type")
 	errReasonTooLong            = errors.New("rtcp: reason must be < 255 octets long")
 	errBadVersion               = errors.New("rtcp: invalid packet version")
+	errBadLength                = errors.New("rtcp: invalid packet length")
 	errWrongPadding             = errors.New("rtcp: invalid padding value")
 	errWrongFeedbackType        = errors.New("rtcp: wrong feedback message type")
 	errWrongPayloadType         = errors.New("rtcp: wrong payload type")

diff --git a/full_intra_request.go b/full_intra_request.go
@@ -67,6 +67,11 @@ func (p *FullIntraRequest) Unmarshal(rawPacket []byte) error {
 		return errWrongType
 	}
 
+	// The FCI field MUST contain one or more FIR entries
+	if 4*h.Length-firOffset <= 0 || (4*h.Length)%8 != 0 {
+		return errBadLength
+	}
+
 	p.SenderSSRC = binary.BigEndian.Uint32(rawPacket[headerLength:])
 	p.MediaSSRC = binary.BigEndian.Uint32(rawPacket[headerLength+ssrcLength:])
 	for i := headerLength + firOffset; i < (headerLength + int(h.Length*4)); i += 8 {

diff --git a/transport_layer_nack.go b/transport_layer_nack.go
@@ -135,6 +135,11 @@ func (p *TransportLayerNack) Unmarshal(rawPacket []byte) error {
 		return errWrongType
 	}
 
+	// The FCI field MUST contain at least one and MAY contain more than one Generic NACK
+	if 4*h.Length <= nackOffset || (4*h.Length-nackOffset)%4 != 0 {
+		return errBadLength
+	}
+
 	p.SenderSSRC = binary.BigEndian.Uint32(rawPacket[headerLength:])
 	p.MediaSSRC = binary.BigEndian.Uint32(rawPacket[headerLength+ssrcLength:])
 	for i := headerLength + nackOffset; i < (headerLength + int(h.Length*4)); i += 4 {