Menu
▾
▴
iaxclient-cvs
|
From: <jpg...@us...> - 2008-04-23 15:37:41
|
Revision: 1420
http://iaxclient.svn.sourceforge.net/iaxclient/?rev=1420&view=rev
Author: jpgrayson
Date: 2008-04-23 08:22:48 -0700 (Wed, 23 Apr 2008)
Log Message:
-----------
Security fixes from Alex Vassilev (Thank you!).
- Check for super-short (< 2 byte) frames.
- Check video header size.
- Detect non-video meta frames correctly -- no longer make bogus assumption that they are audio mini frames.
Modified Paths:
--------------
trunk/lib/libiax2/src/iax.c
Modified: trunk/lib/libiax2/src/iax.c
===================================================================
--- trunk/lib/libiax2/src/iax.c 2008-04-23 15:00:22 UTC (rev 1419)
+++ trunk/lib/libiax2/src/iax.c 2008-04-23 15:22:48 UTC (rev 1420)
@@ -3207,6 +3207,12 @@
struct ast_iax2_video_hdr *vh = (struct ast_iax2_video_hdr *)buf;
struct iax_session *session;
+ if ((size_t)len < sizeof(fh->scallno)) {
+ DEBU(G "Short header received from %s\n", inet_ntoa(sin->sin_addr));
+ IAXERROR "Short header received from %s\n", inet_ntoa(sin->sin_addr));
+ return NULL;
+ }
+
if (ntohs(fh->scallno) & IAX_FLAG_FULL) {
/* Full size header */
if ((size_t)len < sizeof(struct ast_iax2_full_hdr)) {
@@ -3225,32 +3231,49 @@
ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS);
if (session)
return iax_header_to_event(session, fh, len - sizeof(struct ast_iax2_full_hdr), sin);
- DEBU(G "No session?\n");
- return NULL;
} else {
if ((size_t)len < sizeof(struct ast_iax2_mini_hdr)) {
DEBU(G "Short header received from %s\n", inet_ntoa(sin->sin_addr));
IAXERROR "Short header received from %s\n", inet_ntoa(sin->sin_addr));
return NULL;
}
- /* Miniature, voice frame */
- if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000))
- {
+
+ if (mh->callno == 0) {
+ /* We have a meta frame, could be a video meta frame
+ * or an ordinary meta frame, to find out we check
+ * the V flag.
+ */
+ if (!(ntohs(vh->callno) & 0x8000)) {
+ DEBU(G "Meta frame received from %s, but we cannot handle it\n",
+ inet_ntoa(sin->sin_addr));
+ IAXERROR "Meta frame received from %s, but we cannot handle it\n",
+ inet_ntoa(sin->sin_addr));
+ return NULL;
+ }
+ /* it is a video metaframe, verify its size */
+ if ((size_t)len < sizeof(struct ast_iax2_video_hdr)) {
+ DEBU(G "Short video mini header received from %s\n",
+ inet_ntoa(sin->sin_addr));
+ IAXERROR "Short video mini header received from %s\n",
+ inet_ntoa(sin->sin_addr));
+ return NULL;
+ }
+
session = iax_find_session(sin, ntohs(vh->callno) & ~0x8000, 0, 0);
if (session)
return iax_videoheader_to_event(session, vh,
len - sizeof(struct ast_iax2_video_hdr));
} else {
- /* audio frame */
- session = iax_find_session(sin, ntohs(fh->scallno), 0, 0);
+ /* mini audio frame */
+ session = iax_find_session(sin, ntohs(mh->callno), 0, 0);
if (session)
return iax_miniheader_to_event(session, mh,
len - sizeof(struct ast_iax2_mini_hdr));
}
- DEBU(G "No session?\n");
- return NULL;
}
+ DEBU(G "No session?\n");
+ return NULL;
}
static struct iax_sched *iax_get_sched(struct timeval tv)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <jpg...@us...> - 2008-05-23 16:40:27
|
Revision: 1432
http://iaxclient.svn.sourceforge.net/iaxclient/?rev=1432&view=rev
Author: jpgrayson
Date: 2008-05-23 09:40:33 -0700 (Fri, 23 May 2008)
Log Message:
-----------
Fix unwrap_timestamp() to correctly account for mini video packets. Mini video
packets only encode the lower 15-bits of their timestamps instead of the lower
16-bits that audio mini packets do.
This may cause sporadic video packet loss.
Modified Paths:
--------------
trunk/lib/libiax2/src/iax.c
Modified: trunk/lib/libiax2/src/iax.c
===================================================================
--- trunk/lib/libiax2/src/iax.c 2008-05-19 15:00:26 UTC (rev 1431)
+++ trunk/lib/libiax2/src/iax.c 2008-05-23 16:40:33 UTC (rev 1432)
@@ -2380,51 +2380,33 @@
#endif
/* From chan_iax2/steve davies: need to get permission from steve or digium, I guess */
-static long unwrap_timestamp(long ts, long last)
+static long unwrap_timestamp(long ts, long last, int is_video)
{
- int x;
+ const int ts_shift = is_video ? 15 : 16;
+ const long lower_mask = (1 << ts_shift) - 1;
+ const long upper_mask = ~lower_mask;
- if ( (ts & 0xFFFF0000) == (last & 0xFFFF0000) ) {
- x = ts - last;
- if (x < -50000) {
- /* Sudden big jump backwards in timestamp:
- What likely happened here is that miniframe
- timestamp has circled but we haven't gotten the
- update from the main packet. We'll just pretend
- that we did, and update the timestamp
- appropriately. */
- ts = ( (last & 0xFFFF0000) + 0x10000) | (ts & 0xFFFF);
+ if ( (ts & upper_mask) == (last & upper_mask) ) {
+ const long x = ts - last;
+ const long threshold = is_video ? 25000 : 50000;
+
+ if (x < -threshold) {
+ /* Sudden big jump backwards in timestamp: What likely
+ * happened here is that miniframe timestamp has
+ * circled but we haven't gotten the update from the
+ * main packet. We'll just pretend that we did, and
+ * update the timestamp appropriately.
+ */
+ ts = ((last & upper_mask) + (1 << ts_shift)) | (ts & lower_mask);
DEBU(G "schedule_delivery: pushed forward timestamp\n");
- }
- if (x > 50000) {
+ } else if (x > threshold) {
/* Sudden apparent big jump forwards in timestamp:
- What's likely happened is this is an old miniframe
- belonging to the previous top-16-bit timestamp that
- has turned up out of order. Adjust the timestamp
- appropriately. */
- ts = ( (last & 0xFFFF0000) - 0x10000) | (ts & 0xFFFF);
- DEBU(G "schedule_delivery: pushed back timestamp\n");
- }
- }
- else if ( (ts & 0xFFFF8000L) == (last & 0xFFFF8000L) ) {
- x = ts - last;
- if (x < -50000) {
- /* Sudden big jump backwards in timestamp:
- What likely happened here is that miniframe
- timestamp has circled but we haven't gotten the
- update from the main packet. We'll just pretend
- that we did, and update the timestamp
- appropriately. */
- ts = ( (last & 0xFFFF8000L) + 0x10000) | (ts & 0xFFFF);
- DEBU(G "schedule_delivery: pushed forward timestamp\n");
- }
- if (x > 50000) {
- /* Sudden apparent big jump forwards in timestamp:
* What's likely happened is this is an old miniframe
- * belonging to the previous top-16-bit timestamp that
- * has turned up out of order. Adjust the timestamp
- * appropriately. */
- ts = ( (last & 0xFFFF8000L) - 0x10000) | (ts & 0xFFFF);
+ * belonging to the previous top 15-bit or 16-bit
+ * timestamp that has turned up out of order. Adjust
+ * the timestamp appropriately.
+ */
+ ts = ((last & upper_mask) - (1 << ts_shift)) | (ts & lower_mask);
DEBU(G "schedule_delivery: pushed back timestamp\n");
}
}
@@ -2471,7 +2453,8 @@
}
/* unwrap timestamp */
- ts = unwrap_timestamp(ts,e->session->last_ts);
+ ts = unwrap_timestamp(ts, e->session->last_ts,
+ e->etype == IAX_EVENT_VIDEO);
/* move forward last_ts if it's greater. We do this _after_
* unwrapping, because asterisk _still_ has cases where it
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <jpg...@us...> - 2008-06-04 14:03:48
|
Revision: 1433
http://iaxclient.svn.sourceforge.net/iaxclient/?rev=1433&view=rev
Author: jpgrayson
Date: 2008-06-04 07:03:56 -0700 (Wed, 04 Jun 2008)
Log Message:
-----------
Add newline to log message.
Modified Paths:
--------------
trunk/lib/libiax2/src/iax.c
Modified: trunk/lib/libiax2/src/iax.c
===================================================================
--- trunk/lib/libiax2/src/iax.c 2008-05-23 16:40:33 UTC (rev 1432)
+++ trunk/lib/libiax2/src/iax.c 2008-06-04 14:03:56 UTC (rev 1433)
@@ -2299,7 +2299,7 @@
{
// print a warning when the callno's don't match
fprintf( stderr, "WARNING: peercallno does not match callno"
- ", peercallno => %d, callno => %d, dcallno => %d",
+ ", peercallno => %d, callno => %d, dcallno => %d\n",
cur->peercallno, callno, dcallno ) ;
return 0 ;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X