From b72f422f3526c69ec3c54735bc05287a392f6e2d Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 11 May 2026 09:25:31 +0200 Subject: [PATCH] rtp: skip header extensions When the header X bit is set, read the extension size and skip the extension. --- src/modules/module-rtp/audio.c | 5 +++++ src/modules/module-rtp/midi.c | 5 +++++ src/modules/module-rtp/opus.c | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/src/modules/module-rtp/audio.c b/src/modules/module-rtp/audio.c index 085f3bae8..e49363f75 100644 --- a/src/modules/module-rtp/audio.c +++ b/src/modules/module-rtp/audio.c @@ -341,6 +341,11 @@ static int rtp_audio_receive(struct impl *impl, uint8_t *buffer, ssize_t len, goto invalid_version; hlen = 12 + hdr->cc * 4; + if (hdr->x) { + if (hlen + 4 > len) + goto invalid_len; + hlen += 4 + ntohs(*(uint16_t *)(buffer + hlen + 2)) * 4; + } if (hlen > len) goto invalid_len; diff --git a/src/modules/module-rtp/midi.c b/src/modules/module-rtp/midi.c index 793fa3c85..7f97a7535 100644 --- a/src/modules/module-rtp/midi.c +++ b/src/modules/module-rtp/midi.c @@ -324,6 +324,11 @@ static int rtp_midi_receive(struct impl *impl, uint8_t *buffer, ssize_t len, goto invalid_version; hlen = 12 + hdr->cc * 4; + if (hdr->x) { + if (hlen + 4 >= len) + goto invalid_len; + hlen += 4 + ntohs(*(uint16_t *)(buffer + hlen + 2)) * 4; + } if (hlen >= len) goto invalid_len; diff --git a/src/modules/module-rtp/opus.c b/src/modules/module-rtp/opus.c index 19e1e55cb..d534e953f 100644 --- a/src/modules/module-rtp/opus.c +++ b/src/modules/module-rtp/opus.c @@ -119,6 +119,11 @@ static int rtp_opus_receive(struct impl *impl, uint8_t *buffer, ssize_t len, goto invalid_version; hlen = 12 + hdr->cc * 4; + if (hdr->x) { + if (hlen + 4 > len) + goto invalid_len; + hlen += 4 + ntohs(*(uint16_t *)(buffer + hlen + 2)) * 4; + } if (hlen > len) goto invalid_len;