From 7f81103b97b97c08ea68a224f7bea3b822dfde25 Mon Sep 17 00:00:00 2001 From: "daniel@poradnik-webmastera.com" Date: Sat, 6 Jul 2024 12:29:01 +0200 Subject: [PATCH] Fix RTP padding length validation Added validation of RTP padding length in received packets. Also check for zero padding length when marshaling. --- error.go | 2 ++ packet.go | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/error.go b/error.go index 4df5d2a2..ac3ece45 100644 --- a/error.go +++ b/error.go @@ -21,4 +21,6 @@ var ( errRFC8285TwoByteHeaderSize = errors.New("header extension payload must be 255bytes or less for RFC 5285 two byte extensions") errRFC3550HeaderIDRange = errors.New("header extension id must be 0 for non-RFC 5285 extensions") + + errInvalidRTPPadding = errors.New("invalid RTP padding") ) diff --git a/packet.go b/packet.go index af88af3e..5bc8dadb 100644 --- a/packet.go +++ b/packet.go @@ -215,7 +215,13 @@ func (p *Packet) Unmarshal(buf []byte) error { end := len(buf) if p.Header.Padding { + if end <= n { + return errTooSmall + } p.PaddingSize = buf[end-1] + if p.PaddingSize == 0 || end < n+int(p.PaddingSize) { + return errTooSmall + } end -= int(p.PaddingSize) } if end < n { @@ -475,6 +481,10 @@ func (p Packet) Marshal() (buf []byte, err error) { // MarshalTo serializes the packet and writes to the buffer. func (p *Packet) MarshalTo(buf []byte) (n int, err error) { + if p.Header.Padding && p.PaddingSize == 0 { + return 0, errInvalidRTPPadding + } + n, err = p.Header.MarshalTo(buf) if err != nil { return 0, err