From 042bb0083898cd07920228d05e437f859becdcd4 Mon Sep 17 00:00:00 2001
From: "Piotr (Peter) Slatala" <psla@webrtc.org>
Date: Wed, 30 Jan 2019 14:57:12 -0800
Subject: [PATCH] Fix RTP transport accepting invalid RTCP headers.

Currently, the RtpTransport checks that the packet is either RTP or
RTCP. However, the RTCP check does not verify that the packet is a valid RTP,
and therefore invalid RTCP packets were allowed in the RtpTransport::OnReadPacket.

This change makes sure that the test for RTCP header (IsRtcpPacket) checks that it has the valid RTP version (2).

So far if the packet had the second byte that looked like
RTCP, it would ignore the first byte.


Bug: None
Change-Id: I5d07d497b9ef609c74b6e507c5f3e19e4bf10194
Reviewed-on: https://webrtc-review.googlesource.com/c/120646
Reviewed-by: Steve Anton <steveanton@webrtc.org>
Reviewed-by: Bjorn Mellem <mellem@webrtc.org>
Reviewed-by: Seth Hampson <shampson@webrtc.org>
Commit-Queue: Peter Slatala <psla@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#26480}
---
 media/base/rtp_utils.cc      | 8 +++++++-
 pc/rtp_transport_unittest.cc | 4 ++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/media/base/rtp_utils.cc b/media/base/rtp_utils.cc
index b162fe590e..57e719b18f 100644
--- a/media/base/rtp_utils.cc
+++ b/media/base/rtp_utils.cc
@@ -287,9 +287,15 @@ bool IsRtpPacket(const void* data, size_t len) {
 // Check the RTP payload type. If 63 < payload type < 96, it's RTCP.
 // For additional details, see http://tools.ietf.org/html/rfc5761.
 bool IsRtcpPacket(const char* data, size_t len) {
-  if (len < 2) {
+  if (len < kMinRtcpPacketLen) {
     return false;
   }
+
+  // RTCP must be a valid RTP packet.
+  if ((static_cast<uint8_t>(data[0]) >> 6) != kRtpVersion) {
+    return false;
+  }
+
   char pt = data[1] & 0x7F;
   return (63 < pt) && (pt < 96);
 }
diff --git a/pc/rtp_transport_unittest.cc b/pc/rtp_transport_unittest.cc
index f3b2bb6f9f..1079ab46d6 100644
--- a/pc/rtp_transport_unittest.cc
+++ b/pc/rtp_transport_unittest.cc
@@ -293,11 +293,11 @@ TEST(RtpTransportTest, SignalDemuxedRtcp) {
   TransportObserver observer(&transport);
 
   // An rtcp packet.
-  const char data[] = {0, 73, 0, 0};
+  const unsigned char data[] = {0x80, 73, 0, 0};
   const int len = 4;
   const rtc::PacketOptions options;
   const int flags = 0;
-  fake_rtp.SendPacket(data, len, options, flags);
+  fake_rtp.SendPacket(reinterpret_cast<const char*>(data), len, options, flags);
   EXPECT_EQ(0, observer.rtp_count());
   EXPECT_EQ(1, observer.rtcp_count());
 }