1 files changed, 91 insertions, 0 deletions

diff --git a/googlepatches/google-7-srtp-security-fix.patch b/googlepatches/google-7-srtp-security-fix.patch
new file mode 100644
index 0000000..54e3e9e
--- /dev/null
+++ b/googlepatches/google-7-srtp-security-fix.patch
@@ -0,0 +1,91 @@
+diff --git a/google3/third_party/libsrtp/crypto/include/integers.h b/google3/third_party/libsrtp/crypto/include/integers.h
+index 7010efd..3515d13 100644
+--- a/google3/third_party/libsrtp/crypto/include/integers.h
++++ b/google3/third_party/libsrtp/crypto/include/integers.h
+@@ -98,7 +98,6 @@ typedef unsigned short int	uint16_t;
+ typedef unsigned int		uint32_t;
+ #endif
+ 
+-
+ #ifdef NO_64BIT_MATH
+ typedef double uint64_t;
+ /* assert that sizeof(double) == 8 */
+diff --git a/google3/third_party/libsrtp/include/srtp.h b/google3/third_party/libsrtp/include/srtp.h
+index 7f17853..bbaac95 100644
+--- a/google3/third_party/libsrtp/include/srtp.h
++++ b/google3/third_party/libsrtp/include/srtp.h
+@@ -50,10 +50,6 @@
+ extern "C" {
+ #endif
+ 
+-#ifdef _MSC_VER
+-#pragma pack(4)
+-#endif
+-
+ #include "crypto_kernel.h" 
+ 
+ /**
+@@ -930,10 +926,6 @@ srtp_install_event_handler(srtp_event_handler_func_t func);
+ #define SRTCP_E_BYTE_BIT 0x80
+ #define SRTCP_INDEX_MASK 0x7fffffff
+ 
+-#ifdef _MSC_VER
+-#pragma pack()
+-#endif
+-
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/google3/third_party/libsrtp/srtp/srtp.c b/google3/third_party/libsrtp/srtp/srtp.c
+index 6010dd4..3fc52ee 100644
+--- a/google3/third_party/libsrtp/srtp/srtp.c
++++ b/google3/third_party/libsrtp/srtp/srtp.c
+@@ -1657,6 +1657,8 @@ srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
+   srtp_stream_ctx_t *stream;
+   int prefix_len;
+   uint32_t seq_num;
++  int e_bit_in_packet;     /* whether the E-bit was found in the packet */
++  int sec_serv_confidentiality; /* whether confidentiality was requested */
+ 
+   /* we assume the hdr is 32-bit aligned to start */
+   /*
+@@ -1694,7 +1696,10 @@ srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
+       return err_status_no_ctx;
+     } 
+   }
+-  
++
++  sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
++      stream->rtcp_services == sec_serv_conf_and_auth;
++
+   /* get tag length from stream context */
+   tag_len = auth_get_tag_length(stream->rtcp_auth); 
+ 
+@@ -1714,8 +1719,12 @@ srtp_unprotect_rtcp(srtp_t ctx, void *srtcp_hdr, int *pkt_octet_len) {
+    */
+   trailer = (uint32_t *) ((char *) hdr +
+ 		     *pkt_octet_len -(tag_len + sizeof(srtcp_trailer_t)));
+-  if (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) {
+-    enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;  
++  e_bit_in_packet = (*((unsigned char *) trailer) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
++  if (e_bit_in_packet != sec_serv_confidentiality) {
++    return err_status_cant_check;
++  }
++  if (sec_serv_confidentiality) {
++    enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
+   } else {
+     enc_octet_len = 0;
+     enc_start = NULL; /* this indicates that there's no encryption */
+diff --git a/google3/third_party/libsrtp/test/srtp_driver.c b/google3/third_party/libsrtp/test/srtp_driver.c
+index f6a84f9..3c97072 100644
+--- a/google3/third_party/libsrtp/test/srtp_driver.c
++++ b/google3/third_party/libsrtp/test/srtp_driver.c
+@@ -1246,7 +1246,7 @@ srtp_create_big_policy(srtp_policy_t **list) {
+    * loop over policy list, mallocing a new list and copying values
+    * into it (and incrementing the SSRC value as we go along)
+    */
+-  tmp = NULL;
++  tmp = p = NULL;
+   while (policy_array[i] != NULL) {
+     p  = (srtp_policy_t*) malloc(sizeof(srtp_policy_t));
+     if (p == NULL)