The header conversion is now much clearer. Take the chance to delay the
memset(buf) after the checks.
Change-Id: I5042dc628ac70eca62b4980f4acae991dd976528
There's no need to have the variable as signed anymore since the loop
was modified in the previous patch. osmo_amr_bytes() returns a size_t
(unsigned).
Change-Id: I8aa6b5f6d3334e152a62b7c28aac3f881f027894
oa_payload_len can be 2 if osmo_amr_bytes() returns 0 (it will return 0
when FT NO_DATA is supported). In tha case, the loop condition
(oa_payload_len - 3) (signed) is compared against unsigned i which ends
up accessing i=256.
Change-Id: I1e513f493d7883a03acbfa3d9744ec63657810b3
The check was wrong for format types containing extra bits not aligned
to byte boundaries, such as FT7 (AMR Code 12.20, 244 bits, 31 bytes).
if the source has 1-6 extra bits, they can be fit with one less byte
when shifting 10 bits to the left.
Change-Id: I0552d727585886d25f613e64ca815fb6dcd53f25
The proper order is CMR(4)+F(1)+FT(4)+Q(1).
Hence, FT is 3 least significant bits of first byte and 1 most
significant bit of secont byte.
Change-Id: I66f39d3b9a608f07c202e7a5084a8537e9978a94
These APIs allow for easy re-formatting of received AMR to forward
between regular RTP and IuUP.
Related: OS#1937
Change-Id: Id2bd32d5f2060abe581730996dc4251381bf7d4f
The for loop in osmo_amr_bwe_to_oa, that converts the body part of the
AMR payload runs one byte too far. This may cause that some of the
padding bits in the end are not set to zero. The loop is designed to
convert n-1 bytes and the nth byte is done separately at the end.
Change-Id: I91e755b83aaac722079879c026d913cc446812d1
Size of a single AMR frame doesn't always shrink by a byte when
converted from octet-aligned to bandwidth-efficient mode. It does
shrink for AMR modes 2, 3, 4, 6, and 7 but doesn't shrink for
AMR modes 0, 1, 5, and SID frames because we only remove 6 bits.
So old code generated truncated AMR packets for those AMR modes.
This patch fixes the length calculation by properly counting bits.
Proper bit counting is also bringing us one small step closer to
properly handlig multi-frame AMR packets.
Change-Id: I0462e054a0adc9080456f3eeea9cab7c229cdb70
This reverts commit 002a51e218.
Reason for revert: amr_test fails with sanitizer build:
Sample No.: 6
bw-efficient: a7bfc03fc03fc03fc03fc03fc03fc03fc03fc03fc03fc03fc03fc03fc03fc03f
1010011110111111110000000011111111000000001111111100000000111111110000000011111111000000001111111100000000111111110000000011111111000000001111111100000000111111110000000011111111000000001111111100000000111111110000000011111111000000001111111100000000111111
../../../src/libosmo-netif/src/amr.c:63:24: runtime error: index 15 out of bounds for type 'size_t [9]'
../../../src/libosmo-netif/src/amr.c:63:24: runtime error: load of address 0x7f69498e56b8 with insufficient space for an object of type 'size_t'
0x7f69498e56b8: note: pointer points here
00 00 00 00 00 00 00 00 00 00 00 00 5f 00 00 00 00 00 00 00 67 00 00 00 00 00 00 00 76 00 00 00
^
=================================================================
==489935==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f69498e56b8 at pc 0x7f69498abec7 bp 0x7ffeafb35330 sp 0x7ffeafb35328
READ of size 8 at 0x7f69498e56b8 thread T0
#0 0x7f69498abec6 in osmo_amr_bytes ../../../src/libosmo-netif/src/amr.c:63
#1 0x7f69498ac661 in osmo_amr_bwe_to_oa ../../../src/libosmo-netif/src/amr.c:193
#2 0x5648b11afb96 in osmo_amr_bwe_to_oa_test ../../../src/libosmo-netif/tests/amr/amr_test.c:134
#3 0x5648b11af31d in main ../../../src/libosmo-netif/tests/amr/amr_test.c:235
#4 0x7f6948d5de0a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26e0a)
#5 0x5648b11af3d9 in _start (/n/s/dev/make/libosmo-netif/tests/amr/amr_test+0x43d9)
0x7f69498e56b8 is located 8 bytes to the left of global variable 'amr_ft_to_bits' defined in '../../../src/libosmo-netif/src/amr.c:32:15' (0x7f69498e56c0) of size 72
0x7f69498e56b8 is located 48 bytes to the right of global variable 'amr_ft_to_bytes' defined in '../../../src/libosmo-netif/src/amr.c:44:15' (0x7f69498e5640) of size 72
SUMMARY: AddressSanitizer: global-buffer-overflow ../../../src/libosmo-netif/src/amr.c:63 in osmo_amr_bytes
Change-Id: I8232521c513722435e71dc90bdbfee10f8f83496
Size of a single AMR frame doesn't always shrink by a byte when
converted from octet-aligned to bandwidth-efficient mode. It does
shrink for AMR modes 2, 3, 4, 6, and 7 but doesn't shrink for
AMR modes 0, 1, 5, and SID frames because we only remove 6 bits.
So old code generated truncated AMR packets for those AMR modes.
This patch fixes the length calculation by properly counting bits.
Proper bit counting is also bringing us one small step closer to
properly handlig multi-frame AMR packets.
Change-Id: I9fc5fb92e9bada22a47a82fcfb0925e892e50ced
The header of an AMR header payload is 2 bytes long. At the moment we
use just a constant of 2 when we refer to the header length, but we have a
struct amr_hdr defined. Lets use sizeof(struct amr_hdr) to make it more
clear that we are refering to the header length.
Change-Id: Ic7ca04b99a97d7d3b91717b0c3e6c55ef3001a3e
osmo_amr_bwe_to_oa() uses an internal buffer with static size to store
intermediate results. The buffer is large enough for any real world
situation, but the check that tests if the result would fit into the
internal buffer is incorrect. It checks if there is enough room for the
existing payload, but does not include the expected growth of the
payload. Eventually the buffer could be overrun by one byte if one would
put a 256 byte long AMR payload.
Fixes: CID#195926
Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228
RFC 3267 describes two different AMR frame formats. Octet Aligned and
Bandwidth efficient mode. In Bandwith efficient mode the padding bits,
which are used to align CMR, TOC and payload on octet boundaries are
saved and the fielda are packed directly one after another.
- Add functions to convert from one mode to the other and vice versa.
- Add function to detect in which mode an AMR frame is encoded.
Change-Id: I5b5a0fa644d8dbb1f04f9d7e35312683c7b3d196
Related: SYS#4470
AMR uses different payload sizes, those sizes are well defined in RFC
3267. Lets add define constants and replace the magic values with the
define constants.
Also correct the value for AMR_FT_SID in amr_ft_to_bytes from 6 to 5
(39bits / 8 = 4.875 bytes ==> 5 byte, see also RFC 3267, chapter 3.6)
Change-Id: I65b5da920d58015b875d6dcf17aacdc04b58955e
According to RFC3267, AMR FT upper 9 should be discarded. This patch
adds extra validation to make sure that input RTP traffic encapsulating
AMR payload and OSMUX amr_ft field are OK with regards to that
restriction.
Pau Espin
Philipp Maier
Alexander Couzens
Neels Hofmeyr
Harald Welte