Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent OOB read for RTCP XR block #2924

Closed
wants to merge 2 commits into from
Closed

Prevent OOB read for RTCP XR block #2924

wants to merge 2 commits into from

Conversation

trengginas
Copy link
Member

When receiving RTCP XR block, the packet will be parsed by using cast

switch (rb_hdr->bt) {
case BT_RR_TIME:
    rb_rr_time = (pjmedia_rtcp_xr_rb_rr_time*) rb_hdr;
    break;
case BT_DLRR:
    rb_dlrr = (pjmedia_rtcp_xr_rb_dlrr*) rb_hdr;
    break;
case BT_STATS:
    rb_stats = (pjmedia_rtcp_xr_rb_stats*) rb_hdr;
    break;
case BT_VOIP_METRICS:
    rb_voip_mtc = (pjmedia_rtcp_xr_rb_voip_mtc*) rb_hdr;
    break;
default:
    break;
}

Without checking the length, this can lead to out of bound read.
This ticket will prevent such issue by checking the packet length.

@trengginas trengginas added this to the release-2.12 milestone Dec 16, 2021
@trengginas trengginas self-assigned this Dec 16, 2021
sauwming
sauwming reviewed Dec 16, 2021
View reviewed changes
Copy link
Member

@sauwming sauwming left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks correct, but not easy to understand (I had to think really hard to follow the algorithm).

Why not compare it against the end packet buffer instead?
i.e.

pj_int32_t *pkt_end = (pj_int32_t*)pkt + pkt_len + 1;

if ((pj_int32_t *)rb_hdr + sizeof(something)/4 > pkt_end) break;

Or

if ((char *)rb_hdr + sizeof(something) > (char *)pkt + size) break;

the-storm
the-storm reviewed Dec 16, 2021
View reviewed changes
Copy link

@the-storm the-storm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am curious if this should have been a private PR since it is a security issue and wether it should have a GH security advisory attached to it with a CVE.

pjmedia/src/pjmedia/rtcp_xr.c Outdated
rb_len = pj_ntohs((pj_uint16_t)rb_hdr->length);

/* Just skip any block with length == 0 (no report content) */
if (rb_len) {
switch (rb_hdr->bt) {
case BT_RR_TIME:
rb_rr_time = (pjmedia_rtcp_xr_rb_rr_time*) rb_hdr;
bl_len = sizeof(*rb_rr_time) / 4;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the fix looks good. My concern here what happens if in the future a new type is added that's not divisible by 4?
Will a similar check be sufficient to prevent an OOB?
imagine a custom type with struct pjmedia_rtcp_xr_rb_some_custom_type that has sizeof() => 3

a check that's copy and paste from this check wont work. This concern also applies if any of these struct changes in size and doesn't become divisible by 4 anymore.

I think getting the end of the buffer, and check that the buffer + sizeof(*rb_rr_time) is within the bounds of the buffer should be more general and work hopefully right regardless of the struct size

Does this sound reasonable?

pjmedia/src/pjmedia/rtcp_xr.c Outdated
/* Parse report rpt_types */
while ((pj_int32_t*)rb_hdr < (pj_int32_t*)pkt + pkt_len)
{
unsigned bl_len;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe you can declare this outside the loop?

pjmedia/src/pjmedia/rtcp_xr.c Outdated
@@ -427,32 +427,49 @@ void pjmedia_rtcp_xr_rx_rtcp_xr( pjmedia_rtcp_xr_session *sess,
if ((pkt_len + 1) > (size / 4))
return;

ck_len = pkt_len - 1;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this is pkt_len -1 and not pkt_len ?

the-storm
the-storm reviewed Dec 17, 2021
View reviewed changes
Copy link

@the-storm the-storm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me from security :)
I will defer approval from someone from the team who is more aware of the codebase :)

Thanks for fixing this @trengginas

@the-storm
Copy link

I am curious if this should have been a private PR since it is a security issue and wether it should have a GH security advisory attached to it with a CVE.

@trengginas any comments with regard to this?

@trengginas trengginas closed this Dec 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sauwming sauwming sauwming left review comments

@the-storm the-storm the-storm left review comments

@nanangizz nanangizz Awaiting requested review from nanangizz

Assignees

@trengginas trengginas

Labels
component: pjmedia
Projects
None yet
Milestone
release-2.12
Development

Successfully merging this pull request may close these issues.
3 participants
@trengginas @the-storm @sauwming