Pion Interceptor RTP Packet Padding Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Pion Interceptor, a framework for RTP/RTCP communication. This issue affects versions 0.1.36 through 0.1.38 and arises from improper handling of RTP packet padding. Users of Pion-based Selective Forwarding Units (SFUs) are particularly impacted, as the vulnerability can be exploited by sending crafted RTP packets that trigger a panic, causing a crash. The root cause lies in the RTP packet factory, which failed to validate padding lengths before processing, allowing packets with excessive or invalid padding to disrupt normal operation.

Impact

Exploitation of this vulnerability causes a panic in the application, leading to a crash. This disruption can be particularly harmful when the application is used as a Selective Forwarding Unit (SFU) in a WebRTC context, where such a crash can interrupt ongoing media communications.

Reproduction

The vulnerability can be reproduced by using Pion Interceptor versions 0.1.36 to 0.1.38 and sending RTP packets with crafted padding that exceeds the payload length. This can be done by setting the P-bit (indicating padding) to true and manipulating the padLen (padding length) to create an overflow condition. Once the packet is received by the Pion Interceptor's RTP packet factory, the improper padding handling will trigger a panic, causing the application to crash.

Remediation

Users should upgrade to Pion Interceptor version 0.1.39 or later, which includes a fix for the padding validation issue. If an immediate upgrade is not possible, the patch from pull request #338 can be applied manually or RTP packets with invalid padding can be dropped before they are processed by Pion's packet factories.