Input Validation: High
The acmp_message() handler accessed fields of avb_ethernet_header and
avb_packet_acmp from network packet data without first checking that
the received packet was large enough to contain these structures.
A short packet could cause out-of-bounds reads when accessing packet
header fields.
The VLA-based reply buffers in reply_not_supported(),
handle_connect_tx_command(), and handle_disconnect_tx_command() also
lacked an upper bound on the packet length, allowing a packet claiming
a very large size to cause excessive stack allocation.
Fix by adding minimum length (sizeof(header) + sizeof(acmp)) and
maximum length (MTU) validation at the entry point before any field
access or buffer allocation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
In handle_connect_tx_command() and handle_disconnect_tx_command(),
AVB_PACKET_ACMP_SET_MESSAGE_TYPE() is called after the goto done
target. When find_stream() fails and jumps to done, the response
is sent with the original command message type (e.g., CONNECT_TX_COMMAND)
instead of the correct response type (CONNECT_TX_RESPONSE).
Move the SET_MESSAGE_TYPE call before find_stream() so error responses
are always sent with the correct response message type.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
built:
* es_builder: create stream with state variables and counters
* acmp: do not use the stream list, go through the descriptor to find
the index
* stream: do not store redundant information such as the index and
descriptor
* internal: removing the stream server and function associated to it
module-avb: internal, stream: removing server_find_stream
Add in input/output stream, setup the talker/listeners.
Implement IEC61883 audio packets, send and receive data.
Implement talker encoding.
With this, audio can be sent and received from MOTU M64.
