* join/begin mrp protocol for attributes of mvrp and msrp within stream_activate.
* Creation of the attribute done on stream creation during es_buidler
Memory Safety: High
The netjack2_recv_opus() and netjack2_recv_int() functions had two
issues:
1. Missing recv length validation: after recv(), neither function
checked that the received data was at least sizeof(header) bytes.
A short packet would cause the pointer to advance past received
data, reading uninitialized VLA memory into the encoded buffer.
2. Integer overflow in bounds check: the expression
(active_ports-1)*max_encoded + sub_cycle*sub_period_bytes + data_size
uses sub_cycle from the network packet header. A large sub_cycle
value can overflow the uint32_t multiplication, wrapping around to
a small value and bypassing the encoded_size bounds check, leading
to an out-of-bounds write into encoded_data.
Additionally, validate that the received data is large enough for the
active_ports * data_size memcpy to prevent reading past the buffer.
Fix by adding recv length checks, using spa_overflow_mul/add for the
bounds arithmetic, and validating recv'd data covers the copy region.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Input Validation: High
The on_socket_data() handler only checked that the received packet was
at least avb_packet_header size before casting to avb_packet_iec61883,
which is larger. A packet between these two sizes would cause
out-of-bounds reads when accessing iec61883 fields like data_len.
Additionally, handle_iec61883_packet() used the data_len field from the
packet to determine how many bytes to copy into the ring buffer without
checking that the claimed data_len didn't exceed the actual received
data. A crafted packet with an inflated data_len could cause an
out-of-bounds read from the receive buffer.
Fix by requiring the minimum packet size to cover both the ethernet
header and the iec61883 header, and by validating that the claimed
payload size doesn't exceed the received data length.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
