fix panics when parsing rtcp packets with invalid block sizes (#678)

TimeToogo · web-flow · commit 0f2db130f2cd · 2025-05-25T16:14:20.000-07:00
diff --git a/rtcp/src/error.rs b/rtcp/src/error.rs
@@ -96,6 +96,8 @@ pub enum Error {
     BadStructMemberType,
     #[error("Cannot read into non-pointer")]
     BadReadParameter,
+    #[error("Invalid block size")]
+    InvalidBlockSize,
 
     #[error("{0}")]
     Util(#[from] util::Error),
diff --git a/rtcp/src/extended_report/dlrr.rs b/rtcp/src/extended_report/dlrr.rs
@@ -123,7 +123,10 @@ impl Unmarshal for DLRRReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if block_length % DLRR_REPORT_LENGTH != 0 || raw_packet.remaining() < block_length as usize
         {
             return Err(error::Error::PacketTooShort.into());
diff --git a/rtcp/src/extended_report/prt.rs b/rtcp/src/extended_report/prt.rs
@@ -118,7 +118,10 @@ impl Unmarshal for PacketReceiptTimesReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if block_length < PRT_REPORT_BLOCK_MIN_LENGTH
             || (block_length - PRT_REPORT_BLOCK_MIN_LENGTH) % 4 != 0
             || raw_packet.remaining() < block_length as usize
diff --git a/rtcp/src/extended_report/rle.rs b/rtcp/src/extended_report/rle.rs
@@ -210,7 +210,10 @@ impl Unmarshal for RLEReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if block_length < RLE_REPORT_BLOCK_MIN_LENGTH
             || (block_length - RLE_REPORT_BLOCK_MIN_LENGTH) % 2 != 0
             || raw_packet.remaining() < block_length as usize
diff --git a/rtcp/src/extended_report/rrt.rs b/rtcp/src/extended_report/rrt.rs
@@ -98,7 +98,10 @@ impl Unmarshal for ReceiverReferenceTimeReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if block_length != RRT_REPORT_BLOCK_LENGTH || raw_packet.remaining() < block_length as usize
         {
             return Err(error::Error::PacketTooShort.into());
diff --git a/rtcp/src/extended_report/ssr.rs b/rtcp/src/extended_report/ssr.rs
@@ -186,7 +186,10 @@ impl Unmarshal for StatisticsSummaryReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if block_length != SSR_REPORT_BLOCK_LENGTH || raw_packet.remaining() < block_length as usize
         {
             return Err(error::Error::PacketTooShort.into());
diff --git a/rtcp/src/extended_report/unknown.rs b/rtcp/src/extended_report/unknown.rs
@@ -83,7 +83,10 @@ impl Unmarshal for UnknownReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if raw_packet.remaining() < block_length as usize {
             return Err(error::Error::PacketTooShort.into());
         }
diff --git a/rtcp/src/extended_report/vm.rs b/rtcp/src/extended_report/vm.rs
@@ -149,7 +149,10 @@ impl Unmarshal for VoIPMetricsReportBlock {
         }
 
         let xr_header = XRHeader::unmarshal(raw_packet)?;
-        let block_length = xr_header.block_length * 4;
+        let block_length = match xr_header.block_length.checked_mul(4) {
+            Some(length) => length,
+            None => return Err(error::Error::InvalidBlockSize.into()),
+        };
         if block_length != VM_REPORT_BLOCK_LENGTH || raw_packet.remaining() < block_length as usize
         {
             return Err(error::Error::PacketTooShort.into());

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,10 @@ impl Unmarshal for DLRRReportBlock {`
`123`	`123`	`}`
`124`	`124`
`125`	`125`	`let xr_header = XRHeader::unmarshal(raw_packet)?;`
`126`		`- let block_length = xr_header.block_length * 4;`
	`126`	`+ let block_length = match xr_header.block_length.checked_mul(4) {`
	`127`	`+ Some(length) => length,`
	`128`	`+ None => return Err(error::Error::InvalidBlockSize.into()),`
	`129`	`+ };`
`127`	`130`	`if block_length % DLRR_REPORT_LENGTH != 0 \|\| raw_packet.remaining() < block_length as usize`
`128`	`131`	`{`
`129`	`132`	`return Err(error::Error::PacketTooShort.into());`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,10 @@ impl Unmarshal for ReceiverReferenceTimeReportBlock {`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`let xr_header = XRHeader::unmarshal(raw_packet)?;`
`101`		`- let block_length = xr_header.block_length * 4;`
	`101`	`+ let block_length = match xr_header.block_length.checked_mul(4) {`
	`102`	`+ Some(length) => length,`
	`103`	`+ None => return Err(error::Error::InvalidBlockSize.into()),`
	`104`	`+ };`
`102`	`105`	`if block_length != RRT_REPORT_BLOCK_LENGTH \|\| raw_packet.remaining() < block_length as usize`
`103`	`106`	`{`
`104`	`107`	`return Err(error::Error::PacketTooShort.into());`
Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,10 @@ impl Unmarshal for StatisticsSummaryReportBlock {`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`let xr_header = XRHeader::unmarshal(raw_packet)?;`
`189`		`- let block_length = xr_header.block_length * 4;`
	`189`	`+ let block_length = match xr_header.block_length.checked_mul(4) {`
	`190`	`+ Some(length) => length,`
	`191`	`+ None => return Err(error::Error::InvalidBlockSize.into()),`
	`192`	`+ };`
`190`	`193`	`if block_length != SSR_REPORT_BLOCK_LENGTH \|\| raw_packet.remaining() < block_length as usize`
`191`	`194`	`{`
`192`	`195`	`return Err(error::Error::PacketTooShort.into());`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,10 @@ impl Unmarshal for UnknownReportBlock {`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`let xr_header = XRHeader::unmarshal(raw_packet)?;`
`86`		`- let block_length = xr_header.block_length * 4;`
	`86`	`+ let block_length = match xr_header.block_length.checked_mul(4) {`
	`87`	`+ Some(length) => length,`
	`88`	`+ None => return Err(error::Error::InvalidBlockSize.into()),`
	`89`	`+ };`
`87`	`90`	`if raw_packet.remaining() < block_length as usize {`
`88`	`91`	`return Err(error::Error::PacketTooShort.into());`
`89`	`92`	`}`
Original file line number	Diff line number	Diff line change
`@@ -149,7 +149,10 @@ impl Unmarshal for VoIPMetricsReportBlock {`
`149`	`149`	`}`
`150`	`150`
`151`	`151`	`let xr_header = XRHeader::unmarshal(raw_packet)?;`
`152`		`- let block_length = xr_header.block_length * 4;`
	`152`	`+ let block_length = match xr_header.block_length.checked_mul(4) {`
	`153`	`+ Some(length) => length,`
	`154`	`+ None => return Err(error::Error::InvalidBlockSize.into()),`
	`155`	`+ };`
`153`	`156`	`if block_length != VM_REPORT_BLOCK_LENGTH \|\| raw_packet.remaining() < block_length as usize`
`154`	`157`	`{`
`155`	`158`	`return Err(error::Error::PacketTooShort.into());`