Skip to content
This repository has been archived by the owner on Apr 3, 2020. It is now read-only.

Commit

Permalink
Revert 256580 "This CL adds methods to manipulate RTP header ext..."
Browse files Browse the repository at this point in the history 
This made the Asan bot unhappy

http://build.chromium.org/p/chromium.memory/buildstatus?builder=Linux%20ASan%2BLSan%20Tests%20%282%29&number=396


P2PSocketHostTest.TestInvalidTurnChannelMessages (run #1):
[ RUN      ] P2PSocketHostTest.TestInvalidTurnChannelMessages
=================================================================
==13684==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000cc54404 at pc 0x278fe5c bp 0x7fff34be4350 sp 0x7fff34be4348
READ of size 1 at 0x00000cc54404 thread T0
    #0 0x278fe5b in IsRtpPacket content/browser/renderer_host/p2p/socket_host.cc:54
    #1 0x278fe5b in content::packet_processing_helpers::GetRtpPacketStartPositionAndLength(char*, int, int*, int*) content/browser/renderer_host/p2p/socket_host.cc:304
    #2 0x1f5a542 in content::P2PSocketHostTest_TestInvalidTurnChannelMessages_Test::TestBody() content/browser/renderer_host/p2p/socket_host_unittest.cc:208
    #3 0x2c38e7a in HandleExceptionsInMethodIfSupported\u003Ctesting::Test, void> testing/gtest/src/gtest.cc:2045
    #4 0x2c38e7a in testing::Test::Run() testing/gtest/src/gtest.cc:2061
    #5 0x2c3afca in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2237
    #6 0x2c3bd93 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2344
    #7 0x2c4ce4a in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4065
    #8 0x2c4c430 in HandleExceptionsInMethodIfSupported\u003Ctesting::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2045
    #9 0x2c4c430 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:3697
    #10 0x2bcad1c in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2231
    #11 0x2bcad1c in base::TestSuite::Run() base/test/test_suite.cc:213
    #12 0x2bbebbb in Run base/callback.h:401
    #13 0x2bbebbb in base::(anonymous namespace)::LaunchUnitTestsInternal(int, char**, base::Callback\u003Cint ()> const&, int) base/test/launcher/unit_test_launcher.cc:494
    #14 0x198401e in main content/test/run_all_unittests.cc:14
    #15 0x7f28c9fa576c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
    #16 0x4b322c in _start (/b/build/slave/Linux_ASan_LSan_Tests__2_/build/src/out/Release/content_unittests+0x4b322c)

0x00000cc54404 is located 60 bytes to the left of global variable 'kRtpMsgWith2ByteExtnHeader' from '../../content/browser/renderer_host/p2p/socket_host_unittest.cc' (0xcc54440) of size 20
0x00000cc54404 is located 0 bytes to the right of global variable 'kTurnChannelMsgWithZeroLength' from '../../content/browser/renderer_host/p2p/socket_host_unittest.cc' (0xcc54400) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow content/browser/renderer_host/p2p/socket_host.cc:54 IsRtpPacket
Shadow bytes around the buggy address:
  0x000081982830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081982840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000081982850: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x000081982860: 00 00 04 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
  0x000081982870: 00 00 00 04 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x000081982880:[04]f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
  0x000081982890: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 04 f9 f9
  0x0000819828a0: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0000819828b0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x0000819828c0: 03 f9 f9 f9 f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9
  0x0000819828d0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00


> This CL adds methods to manipulate RTP header extension, particularly
> AbsoulteSendTime extension. If there is matching extension ID present
> in RTP packet, we will update with the current time.
> 
> [email protected], [email protected], [email protected]
> 
> BUG=
> 
> Review URL: https://codereview.chromium.org/159353002

[email protected]

Review URL: https://codereview.chromium.org/197933002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@256584 0039d316-1c4b-4281-b951-d872f2087c98
  • Loading branch information
[email protected] committed Mar 12, 2014
1 parent a8030a2 commit 2ebbe12
Show file tree
Hide file tree
Showing 8 changed files with 6 additions and 795 deletions.
373 changes: 0 additions & 373 deletions content/browser/renderer_host/p2p/socket_host.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,386 +8,13 @@
#include "content/browser/renderer_host/p2p/socket_host_tcp.h"
#include "content/browser/renderer_host/p2p/socket_host_tcp_server.h"
#include "content/browser/renderer_host/p2p/socket_host_udp.h"
#include "crypto/hmac.h"
#include "third_party/libjingle/source/talk/base/asyncpacketsocket.h"
#include "third_party/libjingle/source/talk/base/byteorder.h"
#include "third_party/libjingle/source/talk/base/messagedigest.h"
#include "third_party/libjingle/source/talk/p2p/base/stun.h"

namespace {

const uint32 kStunMagicCookie = 0x2112A442;
const int kMinRtpHdrLen = 12;
const int kRtpExtnHdrLen = 4;
const int kDtlsRecordHeaderLen = 13;
const int kTurnChannelHdrLen = 4;
const int kAbsSendTimeExtnLen = 3;
const int kOneByteHdrLen = 1;

// Fake auth tag written by the render process if external authentication is
// enabled. HMAC in packet will be compared against this value before updating
// packet with actual HMAC value.
static const unsigned char kFakeAuthTag[10] = {
0xba, 0xdd, 0xba, 0xdd, 0xba, 0xdd, 0xba, 0xdd, 0xba, 0xdd
};

bool IsTurnChannelData(const char* data) {
return ((*data & 0xC0) == 0x40);
}

bool IsDtlsPacket(const char* data, int len) {
const uint8* u = reinterpret_cast<const uint8*>(data);
return (len >= kDtlsRecordHeaderLen && (u[0] > 19 && u[0] < 64));
}

bool IsRtcpPacket(const char* data) {
int type = (static_cast<uint8>(data[1]) & 0x7F);
return (type >= 64 && type < 96);
}

bool IsTurnSendIndicationPacket(const char* data) {
uint16 type = talk_base::GetBE16(data);
return (type == cricket::TURN_SEND_INDICATION);
}

bool IsRtpPacket(const char* data, int len) {
return ((*data & 0xC0) == 0x80);
}

// Verifies rtp header and message length.
bool ValidateRtpHeader(char* rtp, int length) {
int cc_count = rtp[0] & 0x0F;
int rtp_hdr_len_without_extn = kMinRtpHdrLen + 4 * cc_count;
if (rtp_hdr_len_without_extn > length) {
return false;
}

// If extension bit is not set, we are done with header processing, as input
// length is verified above.
if (!(rtp[0] & 0x10)) {
return true;
}

rtp += rtp_hdr_len_without_extn;

// Getting extension profile length.
// Length is in 32 bit words.
uint16 extn_length = talk_base::GetBE16(rtp + 2) * 4;

// Verify input length against total header size.
if (rtp_hdr_len_without_extn + kRtpExtnHdrLen + extn_length > length) {
return false;
}
return true;
}

void UpdateAbsSendTimeExtnValue(char* extn_data, int len,
uint32 abs_send_time) {
// Absolute send time in RTP streams.
//
// The absolute send time is signaled to the receiver in-band using the
// general mechanism for RTP header extensions [RFC5285]. The payload
// of this extension (the transmitted value) is a 24-bit unsigned integer
// containing the sender's current time in seconds as a fixed point number
// with 18 bits fractional part.
//
// The form of the absolute send time extension block:
//
// 0 1 2 3
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | ID | len=2 | absolute send time |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
DCHECK_EQ(len, kAbsSendTimeExtnLen);
// Now() has resolution ~1-15ms, using HighResNow(). But it is warned not to
// use it unless necessary, as it is expensive than Now().
uint32 now_second = abs_send_time;
if (!now_second) {
uint64 now_us =
(base::TimeTicks::HighResNow() - base::TimeTicks()).InMicroseconds();
// Convert second to 24-bit unsigned with 18 bit fractional part
now_second =
((now_us << 18) / base::Time::kMicrosecondsPerSecond) & 0x00FFFFFF;
}
// TODO(mallinath) - Add SetBE24 to byteorder.h in libjingle.
extn_data[0] = static_cast<uint8>(now_second >> 16);
extn_data[1] = static_cast<uint8>(now_second >> 8);
extn_data[2] = static_cast<uint8>(now_second);
}

// Assumes |len| is actual packet length + tag length. Updates HMAC at end of
// the RTP packet.
void UpdateRtpAuthTag(char* rtp, int len,
const talk_base::PacketOptions& options) {
// If there is no key, return.
if (options.packet_time_params.srtp_auth_key.empty())
return;

size_t tag_length = options.packet_time_params.srtp_auth_tag_len;
char* auth_tag = rtp + (len - tag_length);

// We should have a fake HMAC value @ auth_tag.
DCHECK_EQ(0, memcmp(auth_tag, kFakeAuthTag, tag_length));

crypto::HMAC hmac(crypto::HMAC::SHA1);
if (!hmac.Init(reinterpret_cast<const unsigned char*>(
&options.packet_time_params.srtp_auth_key[0]),
options.packet_time_params.srtp_auth_key.size())) {
NOTREACHED();
return;
}

if (hmac.DigestLength() < tag_length) {
NOTREACHED();
return;
}

// Copy ROC after end of rtp packet.
memcpy(auth_tag, &options.packet_time_params.srtp_packet_index, 4);
// Authentication of a RTP packet will have RTP packet + ROC size.
int auth_required_length = len - tag_length + 4;

unsigned char output[64];
if (!hmac.Sign(base::StringPiece(rtp, auth_required_length),
output, sizeof(output))) {
NOTREACHED();
return;
}
// Copy HMAC from output to packet. This is required as auth tag length
// may not be equal to the actual HMAC length.
memcpy(auth_tag, output, tag_length);
}

} // namespace

namespace content {

namespace packet_processing_helpers {

bool ApplyPacketOptions(char* data, int length,
const talk_base::PacketOptions& options,
uint32 abs_send_time) {
DCHECK(data != NULL);
DCHECK(length > 0);
// if there is no valid |rtp_sendtime_extension_id| and |srtp_auth_key| in
// PacketOptions, nothing to be updated in this packet.
if (options.packet_time_params.rtp_sendtime_extension_id == -1 &&
options.packet_time_params.srtp_auth_key.empty()) {
return true;
}

DCHECK(!IsDtlsPacket(data, length));
DCHECK(!IsRtcpPacket(data));

// If there is a srtp auth key present then packet must be a RTP packet.
// RTP packet may have been wrapped in a TURN Channel Data or
// TURN send indication.
int rtp_start_pos;
int rtp_length;
if (!GetRtpPacketStartPositionAndLength(
data, length, &rtp_start_pos, &rtp_length)) {
// This method should never return false.
NOTREACHED();
return false;
}

// Skip to rtp packet.
char* start = data + rtp_start_pos;
// If packet option has non default value (-1) for sendtime extension id,
// then we should parse the rtp packet to update the timestamp. Otherwise
// just calculate HMAC and update packet with it.
if (options.packet_time_params.rtp_sendtime_extension_id != -1) {
UpdateRtpAbsSendTimeExtn(
start, rtp_length,
options.packet_time_params.rtp_sendtime_extension_id, abs_send_time);
}

UpdateRtpAuthTag(start, rtp_length, options);
return true;
}

bool GetRtpPacketStartPositionAndLength(
char* packet, int length, int* rtp_start_pos, int* rtp_packet_length) {
int rtp_begin, rtp_length;
if (IsTurnChannelData(packet)) {
// Turn Channel Message header format.
// 0 1 2 3
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | Channel Number | Length |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | |
// / Application Data /
// / /
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
if (length < kTurnChannelHdrLen) {
return false;
}

rtp_begin = kTurnChannelHdrLen;
rtp_length = talk_base::GetBE16(&packet[2]);
if (length < rtp_length + kTurnChannelHdrLen) {
return false;
}
} else if (IsTurnSendIndicationPacket(packet)) {
if (length <= P2PSocketHost::kStunHeaderSize) {
// Message must be greater than 20 bytes, if it's carrying any payload.
return false;
}
// Validate STUN message length.
int stun_msg_len = talk_base::GetBE16(&packet[2]);
if (stun_msg_len + P2PSocketHost::kStunHeaderSize != length) {
return false;
}

// First skip mandatory stun header which is of 20 bytes.
rtp_begin = P2PSocketHost::kStunHeaderSize;
// Loop through STUN attributes until we find STUN DATA attribute.
char* start = packet + rtp_begin;
bool data_attr_present = false;
while ((packet + rtp_begin) - start < length) {
// Keep reading STUN attributes until we hit DATA attribute.
// Attribute will be a TLV structure.
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | Type | Length |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | Value (variable) ....
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// The value in the length field MUST contain the length of the Value
// part of the attribute, prior to padding, measured in bytes. Since
// STUN aligns attributes on 32-bit boundaries, attributes whose content
// is not a multiple of 4 bytes are padded with 1, 2, or 3 bytes of
// padding so that its value contains a multiple of 4 bytes. The
// padding bits are ignored, and may be any value.
uint16 attr_type, attr_length;
// Getting attribute type and length.
attr_type = talk_base::GetBE16(&packet[rtp_begin]);
attr_length = talk_base::GetBE16(
&packet[rtp_begin + sizeof(attr_type)]);
// Checking for bogus attribute length.
if (length < attr_length + rtp_begin) {
return false;
}

if (attr_type != cricket::STUN_ATTR_DATA) {
rtp_begin += sizeof(attr_type) + sizeof(attr_length) + attr_length;
if ((attr_length % 4) != 0) {
rtp_begin += (4 - (attr_length % 4));
}
continue;
}

data_attr_present = true;
rtp_begin += 4; // Skip STUN_DATA_ATTR header.
rtp_length = attr_length;
// One final check of length before exiting.
if (length < rtp_length + rtp_begin) {
return false;
}
// We found STUN_DATA_ATTR. We can skip parsing rest of the packet.
break;
}

if (!data_attr_present) {
// There is no data attribute present in the message. We can't do anything
// with the message.
return false;
}

} else {
// This is a raw RTP packet.
rtp_begin = 0;
rtp_length = length;
}

// Making sure we have a valid RTP packet at the end.
if (IsRtpPacket(packet + rtp_begin, rtp_length) &&
ValidateRtpHeader(packet + rtp_begin, rtp_length)) {
*rtp_start_pos = rtp_begin;
*rtp_packet_length = rtp_length;
return true;
}
return false;
}

// ValidateRtpHeader must be called before this method to make sure, we have
// a sane rtp packet.
bool UpdateRtpAbsSendTimeExtn(char* rtp, int length,
int extension_id, uint32 abs_send_time) {
// 0 1 2 3
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// |V=2|P|X| CC |M| PT | sequence number |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | timestamp |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | synchronization source (SSRC) identifier |
// +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
// | contributing source (CSRC) identifiers |
// | .... |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

// Return if extension bit is not set.
if (!(rtp[0] & 0x10)) {
return true;
}

int cc_count = rtp[0] & 0x0F;
int rtp_hdr_len_without_extn = kMinRtpHdrLen + 4 * cc_count;

rtp += rtp_hdr_len_without_extn;

// Getting extension profile ID and length.
uint16 profile_id = talk_base::GetBE16(rtp);
// Length is in 32 bit words.
uint16 extn_length = talk_base::GetBE16(rtp + 2) * 4;

rtp += kRtpExtnHdrLen; // Moving past extn header.

bool found = false;
// WebRTC is using one byte header extension.
// TODO(mallinath) - Handle two byte header extension.
if (profile_id == 0xBEDE) { // OneByte extension header
// 0
// 0 1 2 3 4 5 6 7
// +-+-+-+-+-+-+-+-+
// | ID | len |
// +-+-+-+-+-+-+-+-+

// 0 1 2 3
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | 0xBE | 0xDE | length=3 |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | ID | L=0 | data | ID | L=1 | data...
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// ...data | 0 (pad) | 0 (pad) | ID | L=3 |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | data |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
char* extn_start = rtp;
while (rtp - extn_start < extn_length) {
const int id = (*rtp & 0xF0) >> 4;
const int len = (*rtp & 0x0F) + 1;
// The 4-bit length is the number minus one of data bytes of this header
// extension element following the one-byte header.
if (id == extension_id) {
UpdateAbsSendTimeExtnValue(rtp + kOneByteHdrLen, len, abs_send_time);
found = true;
break;
}
rtp += kOneByteHdrLen + len;
// Counting padding bytes.
while ((*rtp == 0) && (rtp - extn_start < extn_length)) {
++rtp;
}
}
}
return found;
}

} // packet_processing_helpers

P2PSocketHost::P2PSocketHost(IPC::Sender* message_sender,
int id)
: message_sender_(message_sender),
Expand Down
Loading

0 comments on commit 2ebbe12

Please sign in to comment.