2 comments on “The WhatsApp RTCP exploit – what might have happened?

  1. 1500 (common MTU) – 20 (IP header) = 1480 (UDP header + payload).
    I think every check involving that value is meant to be considered on the whole UDP datagram. If your WhatsApp stack analysis still stands, their VoIP service does not use ICE, so it makes sense that the implementation directly handles UDP datagrams.

    In general there is nothing wrong in using datagrams (and RTCP compound packets) bigger than 1480, given that you want to accept all the consequences of MTU segmentation. But by looking at the mentioned diffs my idea is that the checks are intended to limit the data given to the parsers on a size basis. Indeed there is a memcpy instruction and raw handling of buffer locations, suggesting the usage of static allocated, fixed size arrays as buffers.

    • Right but why would you use a 1480 byte buffer in the first place instead of 1472? The UDP header would typically be stored separetely…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.