From 28efacc8d83c14d45f9f0d71f130002d6281960d Mon Sep 17 00:00:00 2001
From: Richard Fuchs <rfuchs@sipwise.com>
Date: Thu, 2 Apr 2020 16:21:07 -0400
Subject: [PATCH] TT#76711 more resilient UDPTL handling

Change-Id: I11b40cdd0c0562f49bd702f7efa58f9cf01d87e9
---
 daemon/t38.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/daemon/t38.c b/daemon/t38.c
index e1a26bae6..1162db55a 100644
--- a/daemon/t38.c
+++ b/daemon/t38.c
@@ -554,6 +554,7 @@ static void __fec_save(struct t38_gateway *tg, const str *piece, uint16_t seq) {
 
 int t38_gateway_input_udptl(struct t38_gateway *tg, const str *buf) {
 	const char *err = NULL;
+	struct udptl_packet *up = NULL;
 
 	if (!tg)
 		return 0;
@@ -582,7 +583,7 @@ int t38_gateway_input_udptl(struct t38_gateway *tg, const str *buf) {
 
 	ilog(LOG_DEBUG, "Received primary IFP packet, len %i, seq %i", piece.len, seq);
 	str primary = piece;
-	struct udptl_packet *up = __make_udptl_packet(&primary, seq);
+	up = __make_udptl_packet(&primary, seq);
 
 	err = "Error correction mode byte missing";
 	if (str_shift_ret(&s, 1, &piece))
@@ -591,6 +592,14 @@ int t38_gateway_input_udptl(struct t38_gateway *tg, const str *buf) {
 
 	mutex_lock(&tg->lock);
 
+	long diff = seq - up->p.seq;
+	if (diff > 100 || diff < -100) {
+		ilog(LOG_INFO | LOG_FLAG_LIMIT, "Ignoring UDPTL packet with wildly off seq (%u <> %u)",
+				(unsigned int) seq, (unsigned int) up->p.seq);
+		err = NULL;
+		goto err;
+	}
+
 	// XXX possible short path here without going through the sequencer
 	int ret = packet_sequencer_insert(&tg->sequencer, &up->p);
 	if (ret < 0) {
@@ -743,6 +752,8 @@ out:
 err:
 	if (err)
 		ilog(LOG_ERR | LOG_FLAG_LIMIT, "Failed to process UDPTL/T.38/IFP packet: %s", err);
+	if (up)
+		__udptl_packet_free(up);
 	return -1;
 }