[secdir] secdir review of draft-ietf-avt-rtp-ipmr-12.txt

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 05 March 2010 13:56 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF8D03A8B5C; Fri, 5 Mar 2010 05:56:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.212
X-Spam-Level:
X-Spam-Status: No, score=-2.212 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SGGgqRclwBxo; Fri, 5 Mar 2010 05:56:05 -0800 (PST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by core3.amsl.com (Postfix) with ESMTP id CE5843A8B7B; Fri, 5 Mar 2010 05:56:04 -0800 (PST)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id F2608C000D; Fri, 5 Mar 2010 14:56:06 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id W52C-vmZKK+2; Fri, 5 Mar 2010 14:56:04 +0100 (CET)
Received: from elstar.local (elstar.iuhb02.iu-bremen.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id BA483C0011; Fri, 5 Mar 2010 14:55:54 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 7979410B9991; Fri, 5 Mar 2010 14:55:54 +0100 (CET)
Date: Fri, 5 Mar 2010 14:55:54 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: info@spiritdsp.com
Message-ID: <20100305135554.GA20432@elstar.local>
Mail-Followup-To: info@spiritdsp.com, iesg@ietf.org, secdir@ietf.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="sdtB3X0nJg68CQEu"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: iesg@ietf.org, secdir@ietf.org
Subject: [secdir] secdir review of draft-ietf-avt-rtp-ipmr-12.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2010 13:56:06 -0000

Hi.

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The document defines how SPIRIT IP-MR encoded speech signals can be
transported over RTP. The security considerations seem to be adequate.
However, I am concerned about the C code in the appendix extracting
frame information. The code does not seem to do proper bound checking,
which I think is a problem that needs to be fixed. I understand that
the frame size is an out parameter - still the size of the buffer
passed via pCoded should be available so that proper bound checking
can be performed.

Other than that, I noticed a number of editorial issues, mostly due to
missing articles etc. I am attaching a unified context diff correcting
some of the issues (but note that I stopped making changes at the end
of section 3 - so there is likely more to fix).

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>