From patchwork Sun May  4 09:17:53 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Eversberg <andreas@eversberg.eu>
X-Patchwork-Id: 345453
Return-Path: <openbsc-bounces@lists.osmocom.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ganesha.gnumonks.org (ganesha.gnumonks.org [213.95.27.120])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 2B1231400C6
	for <incoming@patchwork.ozlabs.org>;
	Sun,  4 May 2014 19:18:28 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=ganesha.gnumonks.org)
	by ganesha.gnumonks.org with esmtp (Exim 4.72)
	(envelope-from <openbsc-bounces@lists.osmocom.org>)
	id 1WgsYp-0006J9-Hk; Sun, 04 May 2014 11:18:15 +0200
Received: from mx.ibsd.net ([62.214.121.40])
	by ganesha.gnumonks.org with esmtp (Exim 4.72)
	(envelope-from <andreas@eversberg.eu>) id 1WgsYV-0006J2-4g
	for openbsc@lists.osmocom.org; Sun, 04 May 2014 11:17:59 +0200
Received: from mx0.ibsd.net ([62.214.121.44])
	by mx-3.ibsd.net with ESMTP; 04 May 2014 11:17:54 +0200
Received: from mail.ibsd.net (mail.ibsd.net [62.214.121.35])
	by mx0.ibsd.net (8.13.8/8.13.8) with ESMTP id s449Hs6L031317;
	Sun, 4 May 2014 11:17:54 +0200
Received: from [10.0.0.32] (home.eversberg.eu [82.139.198.227])
	(authenticated bits=0)
	by mail.ibsd.net (8.13.8/8.13.8) with ESMTP id s449Hrcj027085;
	Sun, 4 May 2014 11:17:53 +0200
Message-ID: <536605C1.8080206@eversberg.eu>
Date: Sun, 04 May 2014 11:17:53 +0200
From: Andreas Eversberg <andreas@eversberg.eu>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:27.0) Gecko/20100101 Firefox/27.0 SeaMonkey/2.24
MIME-Version: 1.0
To: Holger Hans Peter Freyther <holger@freyther.de>
Subject: Re: [PATCH 4/9] Add support for AMR frames to MNCC/RTP interface
References: <1392793078-30854-1-git-send-email-jolly@eversberg.eu>
	<1392793078-30854-4-git-send-email-jolly@eversberg.eu>
	<20140320214603.GA11963@xiaoyu.lan>
	<20140417212945.GB31314@xiaoyu.lan> <5350F977.6060201@eversberg.eu>
	<20140420143020.GD14607@xiaoyu.lan>
	<20140429065219.GA3544@xiaoyu.lan>
In-Reply-To: <20140429065219.GA3544@xiaoyu.lan>
X-Spam-Score: 0.0 (/)
Cc: Andreas Eversberg <jolly@eversberg.eu>, openbsc@lists.osmocom.org
X-BeenThere: openbsc@lists.osmocom.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development of the OpenBSC GSM base station controller
	<openbsc.lists.osmocom.org>
List-Unsubscribe: <https://lists.osmocom.org/mailman/options/openbsc>,
	<mailto:openbsc-request@lists.osmocom.org?subject=unsubscribe>
List-Archive: <http://lists.osmocom.org/pipermail/openbsc>
List-Post: <mailto:openbsc@lists.osmocom.org>
List-Help: <mailto:openbsc-request@lists.osmocom.org?subject=help>
List-Subscribe: <https://lists.osmocom.org/mailman/listinfo/openbsc>,
	<mailto:openbsc-request@lists.osmocom.org?subject=subscribe>
Sender: openbsc-bounces@lists.osmocom.org
Errors-To: openbsc-bounces@lists.osmocom.org

>>> i had that patch done already. (see attachment)
>> what was the message id?  I didn't see it.
> Could you please answer this one?
hi holger,

sorry, i did not express myself well enough. i meant that i already 
wrote the patch, but did not send it to the mailing list.
>> This lacks input validation. The code needs to check that the data
>> we read is within the bounds of the msgb and the data we write is within
>> the bounds too.
i added a check that limits the GSM frames to 33 octets (full speech). 
(AMR requires only 31 octets + 1 octet length indicator.) an MNCC 
message has much larger msgb allocation when received. see attachment.

best regards

andreas

From 9175347f5a357317feba67e82b4ff3bc3aca5baf Mon Sep 17 00:00:00 2001
From: Andreas Eversberg <jolly@eversberg.eu>
Date: Thu, 8 Mar 2012 14:39:19 +0100
Subject: [PATCH] Add support for AMR frames to MNCC/RTP interface

AMR rate is currently fixed to 5.9k.
---
 openbsc/src/libmsc/gsm_04_08.c  |  1 +
 openbsc/src/libtrau/rtp_proxy.c | 53 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 48 insertions(+), 6 deletions(-)

diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index df93433..a0650ab 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -2953,6 +2953,7 @@ int mncc_tx_to_cc(struct gsm_network *net, int msg_type, void *arg)
 	case GSM_TCHF_FRAME:
 	case GSM_TCHF_FRAME_EFR:
 	case GSM_TCHH_FRAME:
+	case GSM_TCH_FRAME_AMR:
 		/* Find callref */
 		trans = trans_find_by_callref(net, data->callref);
 		if (!trans) {
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 143bfa0..95729ef 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -192,21 +192,41 @@ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data)
 			return -EINVAL;
 		}
 		break;
+	case RTP_PT_AMR:
+		break;
 	default:
 		DEBUGPC(DLMUX, "received RTP frame with unknown payload "
 			"type %d\n", rtph->payload_type);
 		return -EINVAL;
 	}
 
-	new_msg = msgb_alloc(sizeof(struct gsm_data_frame) + payload_len,
-				"GSM-DATA");
+	if (payload_len > 33) {
+		DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
+			payload_len);
+		return -EINVAL;
+	}
+
+	if (rtph->payload_type == RTP_PT_AMR) {
+		new_msg = msgb_alloc(sizeof(struct gsm_data_frame) + 1
+				     + payload_len, "GSM-DATA (AMR)");
+	} else {
+		new_msg = msgb_alloc(sizeof(struct gsm_data_frame)
+				     + payload_len, "GSM-DATA");
+	}
 	if (!new_msg)
 		return -ENOMEM;
 	frame = (struct gsm_data_frame *)(new_msg->data);
 	frame->msg_type = msg_type;
 	frame->callref = callref;
-	memcpy(frame->data, payload, payload_len);
-	msgb_put(new_msg, sizeof(struct gsm_data_frame) + payload_len);
+	if (rtph->payload_type == RTP_PT_AMR) {
+		frame->data[0] = payload_len;
+		msgb_put(new_msg, sizeof(struct gsm_data_frame) + 1
+					 + payload_len);
+		memcpy(frame->data + 1, payload, payload_len);
+	} else {
+		msgb_put(new_msg, sizeof(struct gsm_data_frame) + payload_len);
+		memcpy(frame->data, payload, payload_len);
+	}
 
 	*data = new_msg;
 	return 0;
@@ -264,6 +284,11 @@ int rtp_send_frame(struct rtp_socket *rs, struct gsm_data_frame *frame)
 		payload_len = RTP_LEN_GSM_HALF;
 		duration = RTP_GSM_DURATION;
 		break;
+	case GSM_TCH_FRAME_AMR:
+		payload_type = RTP_PT_AMR;
+		payload_len = frame->data[0];
+		duration = RTP_GSM_DURATION;
+		break;
 	default:
 		DEBUGPC(DLMUX, "unsupported message type %d\n",
 			frame->msg_type);
@@ -291,7 +316,18 @@ int rtp_send_frame(struct rtp_socket *rs, struct gsm_data_frame *frame)
 		}
 	}
 
-	msg = msgb_alloc(sizeof(struct rtp_hdr) + payload_len, "RTP-GSM-FULL");
+	if (payload_len > 33) {
+		DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
+			payload_len);
+		return -EINVAL;
+	}
+
+	if (frame->msg_type == GSM_TCH_FRAME_AMR)
+		msg = msgb_alloc(sizeof(struct rtp_hdr) + payload_len,
+			"RTP-GSM (AMR)");
+	else
+		msg = msgb_alloc(sizeof(struct rtp_hdr) + payload_len,
+			"RTP-GSM");
 	if (!msg)
 		return -ENOMEM;
 	rtph = (struct rtp_hdr *)msg->data;
@@ -305,7 +341,12 @@ int rtp_send_frame(struct rtp_socket *rs, struct gsm_data_frame *frame)
 	rtph->timestamp = htonl(rs->transmit.timestamp);
 	rs->transmit.timestamp += duration;
 	rtph->ssrc = htonl(rs->transmit.ssrc);
-	memcpy(msg->data + sizeof(struct rtp_hdr), frame->data, payload_len);
+	if (frame->msg_type == GSM_TCH_FRAME_AMR)
+		memcpy(msg->data + sizeof(struct rtp_hdr), frame->data + 1,
+			payload_len);
+	else
+		memcpy(msg->data + sizeof(struct rtp_hdr), frame->data,
+			payload_len);
 	msgb_put(msg, sizeof(struct rtp_hdr) + payload_len);
 	msgb_enqueue(&rss->tx_queue, msg);
 	rss->bfd.when |= BSC_FD_WRITE;
-- 
1.8.1.5