From 240c7234f6332b255aff1d3d0323e5f4f5eaf9f9 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Fri, 13 Sep 2013 16:01:42 +0200 Subject: [PATCH] rtpbuffer: check for valid payload type The payload type can't be between 72 and 76 because with the marker bit set, this could be mistaken for an RTCP packet then. We do a relaxed check and only refuse 72-76 when the marker bit is set. The effect is that when we try to map an RTCP packet as an RTP packet, we will certainly fail. --- gst-libs/gst/rtp/gstrtpbuffer.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/gst-libs/gst/rtp/gstrtpbuffer.c b/gst-libs/gst/rtp/gstrtpbuffer.c index ebc0824983..7c32d352c6 100644 --- a/gst-libs/gst/rtp/gstrtpbuffer.c +++ b/gst-libs/gst/rtp/gstrtpbuffer.c @@ -316,7 +316,7 @@ gst_rtp_buffer_map (GstBuffer * buffer, GstMapFlags flags, GstRTPBuffer * rtp) guint8 padding; guint8 csrc_count; guint header_len; - guint8 version; + guint8 version, pt; guint8 *data; guint size; gsize bufsize, skip; @@ -346,6 +346,13 @@ gst_rtp_buffer_map (GstBuffer * buffer, GstMapFlags flags, GstRTPBuffer * rtp) if (G_UNLIKELY (version != (GST_RTP_VERSION << 6))) goto wrong_version; + /* check reserved PT and marker bit, this is to check for RTCP + * packets. We do a relaxed check, you can still use 72-76 as long + * as the marker bit is cleared. */ + pt = data[1]; + if (G_UNLIKELY (pt >= 200 && pt <= 204)) + goto reserved_pt; + /* calc header length with csrc */ csrc_count = (data[0] & 0x0f); header_len += csrc_count * sizeof (guint32); @@ -442,6 +449,11 @@ wrong_version: GST_DEBUG ("version check failed (%d != %d)", version, GST_RTP_VERSION); goto dump_packet; } +reserved_pt: + { + GST_DEBUG ("reserved PT %d found", pt); + goto dump_packet; + } wrong_padding: { GST_DEBUG ("padding check failed (%" G_GSIZE_FORMAT " - %d < %d)", bufsize,