harden midi parsing and timing state

Fix RTP clock rollover and parser state handling
Fix buffer overflow when output queue is full, seed participant sequence numbers on invite, and make parser consume loops safe. normalize protocol constants/types, reset journal state on errors, and improve rtp clock initialization.

Author: lathoub

src/AppleMIDI.h

@@ -248,6 +248,7 @@ class AppleMIDISession
                 if (nullptr != _exceptionCallback)
                     _exceptionCallback(ssrc, BufferFullException, 0);
 #endif
+                return;
             }
         }
 

src/AppleMIDI.hpp

@@ -143,6 +143,7 @@ void AppleMIDISession<UdpClass, Settings, Platform>::ReceivedControlInvitation(A
 #endif
     participant.kind = Listener;
     participant.ssrc = invitation.ssrc;
+    participant.sendSequenceNr = random(1, UINT16_MAX); // http://www.rfc-editor.org/rfc/rfc6295.txt , 2.1.  RTP Header
     participant.remoteIP   = controlPort.remoteIP();
     participant.remotePort = controlPort.remotePort();
     participant.lastSyncExchangeTime = now;
@@ -1050,6 +1051,7 @@ bool AppleMIDISession<UdpClass, Settings, Platform>::sendInvite(IPAddress ip, ui
     Participant<Settings> participant;
 #endif
     participant.kind = Initiator;
+    participant.sendSequenceNr = random(1, UINT16_MAX); // http://www.rfc-editor.org/rfc/rfc6295.txt , 2.1.  RTP Header
     participant.remoteIP = ip;
     participant.remotePort = port;
     participant.lastInviteSentTime = now - 1000; // forces invite to be send immediately

src/AppleMIDI_Defs.h

@@ -22,7 +22,7 @@ union conversionBuffer
     uint16_t value16;
     uint32_t value32;
     uint64_t value64;
-    byte buffer[8];
+    uint8_t buffer[8];
 };
 
 
@@ -147,19 +147,19 @@ using sentRtpMidiCallback           = void (*)(const RtpMIDI_t&);
 #endif
 
 /* Signature "Magic Value" for Apple network MIDI session establishment */
-const byte amSignature[] = {0xff, 0xff};
+static constexpr uint8_t amSignature[] = {0xff, 0xff};
 
 /* 2 (stored in network byte order (big-endian)) */
-const byte amProtocolVersion[] = {0x00, 0x00, 0x00, 0x02};
+static constexpr uint8_t amProtocolVersion[] = {0x00, 0x00, 0x00, 0x02};
 
 /* Apple network MIDI valid commands */
-const byte amInvitation[]          = {'I', 'N'};
-const byte amEndSession[]          = {'B', 'Y'};
-const byte amSynchronization[]     = {'C', 'K'};
-const byte amInvitationAccepted[]  = {'O', 'K'};
-const byte amInvitationRejected[]  = {'N', 'O'};
-const byte amReceiverFeedback[]    = {'R', 'S'};
-const byte amBitrateReceiveLimit[] = {'R', 'L'};
+static constexpr uint8_t amInvitation[]          = {'I', 'N'};
+static constexpr uint8_t amEndSession[]          = {'B', 'Y'};
+static constexpr uint8_t amSynchronization[]     = {'C', 'K'};
+static constexpr uint8_t amInvitationAccepted[]  = {'O', 'K'};
+static constexpr uint8_t amInvitationRejected[]  = {'N', 'O'};
+static constexpr uint8_t amReceiverFeedback[]    = {'R', 'S'};
+static constexpr uint8_t amBitrateReceiveLimit[] = {'R', 'L'};
 
 const uint8_t SYNC_CK0 = 0;
 const uint8_t SYNC_CK1 = 1;

src/AppleMIDI_Namespace.h

@@ -6,8 +6,4 @@
     {
 #define END_APPLEMIDI_NAMESPACE }
 
-#define USING_NAMESPACE_APPLEMIDI using namespace APPLEMIDI_NAMESPACE;
-
-BEGIN_APPLEMIDI_NAMESPACE
-
-END_APPLEMIDI_NAMESPACE
+#define USING_NAMESPACE_APPLEMIDI using namespace APPLEMIDI_NAMESPACE;

src/AppleMIDI_Parser.h

@@ -21,8 +21,8 @@ class AppleMIDIParser
 	{
 		conversionBuffer cb;
 
-		byte signature[2]; // Signature "Magic Value" for Apple network MIDI session establishment
-		byte command[2];   // 16-bit command identifier (two ASCII characters, first in high 8 bits, second in low 8 bits)
+		uint8_t signature[2]; // Signature "Magic Value" for Apple network MIDI session establishment
+		uint8_t command[2];   // 16-bit command identifier (two ASCII characters, first in high 8 bits, second in low 8 bits)
 
 		size_t minimumLen = (sizeof(signature) + sizeof(command)); // Signature + Command
 		if (buffer.size() < minimumLen)
@@ -42,7 +42,7 @@ class AppleMIDIParser
 
 		if (0 == memcmp(command, amInvitation, sizeof(amInvitation)))
 		{
-			byte protocolVersion[4];
+			uint8_t protocolVersion[4];
 
 			minimumLen += (sizeof(protocolVersion) + sizeof(initiatorToken_t) + sizeof(ssrc_t));
 			if (buffer.size() < minimumLen)
@@ -98,19 +98,22 @@ class AppleMIDIParser
             // flush the remainder of the packet.
             // First part if the session name is kept, processing continues
             if (i > minimumLen)
-                if (i == buffer.size() && buffer[i] != 0x00)
+                if (i == buffer.size() && buffer[buffer.size() - 1] != 0x00)
                     retVal = parserReturn::SessionNameVeryLong;
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front(); // consume all the bytes that made up this message
+                --i;
+            }
 
 			session->ReceivedInvitation(invitation, portType);
 
             return retVal;
 		}
 		else if (0 == memcmp(command, amEndSession, sizeof(amEndSession)))
 		{
-			byte protocolVersion[4];
+			uint8_t protocolVersion[4];
 
 			minimumLen += (sizeof(protocolVersion) + sizeof(initiatorToken_t) + sizeof(ssrc_t));
 			if (buffer.size() < minimumLen)
@@ -142,8 +145,11 @@ class AppleMIDIParser
 			cb.buffer[3] = buffer[i++];
 			endSession.ssrc = __ntohl(cb.value32);
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front(); // consume all the bytes that made up this message
+                --i;
+            }
 
 			session->ReceivedEndSession(endSession);
 
@@ -199,8 +205,11 @@ class AppleMIDIParser
 			cb.buffer[7] = buffer[i++];
 			synchronization.timestamps[2] = __ntohll(cb.value64);
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front(); // consume all the bytes that made up this message
+                --i;
+            }
 
 			session->ReceivedSynchronization(synchronization);
 
@@ -237,7 +246,7 @@ class AppleMIDIParser
 #ifdef APPLEMIDI_INITIATOR
 		else if (0 == memcmp(command, amInvitationAccepted, sizeof(amInvitationAccepted)))
 		{
-            byte protocolVersion[4];
+            uint8_t protocolVersion[4];
 
             minimumLen += (sizeof(protocolVersion) + sizeof(initiatorToken_t) + sizeof(ssrc_t));
             if (buffer.size() < minimumLen)
@@ -294,19 +303,22 @@ class AppleMIDIParser
             // flush the remainder of the packet.
             // First part if the session name is kept, processing continues
             if (i > minimumLen)
-                if (i == buffer.size() && buffer[i] != 0x00)
+                if (i == buffer.size() && buffer[buffer.size() - 1] != 0x00)
                     retVal = parserReturn::SessionNameVeryLong;
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front(); // consume all the bytes that made up this message
+                --i;
+            }
 
             session->ReceivedInvitationAccepted(invitationAccepted, portType);
 
             return retVal;
 		}
 		else if (0 == memcmp(command, amInvitationRejected, sizeof(amInvitationRejected)))
 		{
-            byte protocolVersion[4];
+            uint8_t protocolVersion[4];
 
             minimumLen += (sizeof(protocolVersion) + sizeof(initiatorToken_t) + sizeof(ssrc_t));
             if (buffer.size() < minimumLen)
@@ -359,8 +371,11 @@ class AppleMIDIParser
                 if (i == buffer.size() || buffer[i++] != 0x00)
                     return parserReturn::NotEnoughData;
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front(); // consume all the bytes that made up this message
+                --i;
+            }
 
             session->ReceivedInvitationRejected(invitationRejected);
 
@@ -386,8 +401,11 @@ class AppleMIDIParser
             cb.buffer[3] = buffer[i++];
             bitrateReceiveLimit.bitratelimit = __ntohl(cb.value32);
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front(); // consume all the bytes that made up this message
+                --i;
+            }
 
             session->ReceivedBitrateReceiveLimit(bitrateReceiveLimit);
 

src/AppleMIDI_Participant.h

@@ -9,23 +9,23 @@ BEGIN_APPLEMIDI_NAMESPACE
 template <class Settings>
 struct Participant
 {
-    ParticipantKind kind;
+    ParticipantKind kind = Listener;
     ssrc_t          ssrc = 0;
     IPAddress       remoteIP = INADDR_NONE;
     uint16_t        remotePort = 0;
 
-    unsigned long   receiverFeedbackStartTime;
+    unsigned long   receiverFeedbackStartTime = 0;
     bool            doReceiverFeedback = false;
 
-    uint16_t        sendSequenceNr = random(1, UINT16_MAX); // http://www.rfc-editor.org/rfc/rfc6295.txt , 2.1.  RTP Header
+    uint16_t        sendSequenceNr = 0; // seeded when session/participant is created
     uint16_t        receiveSequenceNr = 0;
 
-    unsigned long   lastSyncExchangeTime;
+    unsigned long   lastSyncExchangeTime = 0;
 
 #ifdef APPLEMIDI_INITIATOR
     uint8_t         connectionAttempts = 0;
     uint32_t        initiatorToken = 0;
-    unsigned long   lastInviteSentTime;
+    unsigned long   lastInviteSentTime = 0;
     InviteStatus    invitationStatus = Initiating;
 
     uint8_t         synchronizationHeartBeats = 0;
@@ -35,7 +35,7 @@ struct Participant
 
 #ifdef USE_EXT_CALLBACKS
     bool            firstMessageReceived = true;
-    uint32_t        offsetEstimate;
+    uint32_t        offsetEstimate = 0;
 #endif
 
 #ifdef KEEP_SESSION_NAME

src/AppleMIDI_Settings.h

@@ -6,8 +6,10 @@ BEGIN_APPLEMIDI_NAMESPACE
 
 struct DefaultSettings
 {
-    static const size_t UdpTxPacketMaxSize = 24; 
+    // Small default to fit constrained MCUs; raise if you send larger SysEx.
+    static const size_t UdpTxPacketMaxSize = 24;
 
+    // MIDI buffer size in bytes; should be >= 3 * max message length.
     static const size_t MaxBufferSize = 64;
 
     static const size_t MaxSessionNameLen = 24;
@@ -26,11 +28,12 @@ struct DefaultSettings
     // two sequence numbers. The sender can then free the memory containing old journalling data if necessary.
     static const unsigned long ReceiversFeedbackThreshold = 1000;
 
-    // The initiator must initiate a new sync exchange at least once every 60 seconds
-    // as in https://developer.apple.com/library/archive/documentation/Audio/Conceptual/MIDINetworkDriverProtocol/MIDI/MIDI.html
+    // The initiator must initiate a new sync exchange at least once every 60 seconds.
+    // This value includes a small 1s slack.
+    // https://developer.apple.com/library/archive/documentation/Audio/Conceptual/MIDINetworkDriverProtocol/MIDI/MIDI.html
     static const unsigned long CK_MaxTimeOut = 61000;
 
-    // when set to true, the lower 32-bits of the rtpClock ae send
+    // when set to true, the lower 32-bits of the rtpClock are sent
     // when set to false, 0 will be set for immediate playout.
     static const bool TimestampRtpPackets = true;
 

src/rtpMIDI_Clock.h

@@ -14,22 +14,26 @@ typedef struct rtpMidi_Clock
 
 	uint64_t startTime_;
 	uint64_t initialTimeStamp_;
+	uint32_t low32_;
+	uint32_t high32_;
 
 	void Init(uint64_t initialTimeStamp, uint32_t clockRate)
 	{
-		initialTimeStamp_ = 0;
+		initialTimeStamp_ = initialTimeStamp;
 		clockRate_ = clockRate;
 
 		if (clockRate_ == 0)
 		{
 			clockRate_ = MIDI_SAMPLING_RATE_DEFAULT;
 		}
 
+		low32_ = millis();
+		high32_ = 0;
 		startTime_ = Ticks();
 	}
 
 	/// <summary>
-	/// Returns an timestamp value suitable for inclusion in a RTP packet header.
+	/// Returns a timestamp value suitable for inclusion in a RTP packet header.
 	/// </summary>
 	uint64_t Now()
 	{
@@ -39,14 +43,12 @@ typedef struct rtpMidi_Clock
 private:
 	uint64_t CalculateCurrentTimeStamp()
 	{
-        return  (CalculateTimeSpent() * clockRate_) / MSEC_PER_SEC;
+        return initialTimeStamp_ + (CalculateTimeSpent() * clockRate_) / MSEC_PER_SEC;
 	}
 
 	/// <summary>
 	///     Returns the time spent since the initial clock timestamp value.
-	///     The returned value is expressed in units of "clock pulsations",
-	///     that are equivalent to seconds, scaled by the clock rate.
-	///     i.e: 1 second difference will result in a delta value equals to the clock rate.
+	///     The returned value is expressed in milliseconds.
 	/// </summary>
 	uint64_t CalculateTimeSpent()
 	{
@@ -56,14 +58,14 @@ typedef struct rtpMidi_Clock
     /// <summary>
     ///     millis() as a 64bit (not the default 32bit)
     ///     this prevents wrap around.
+	///     Note: rollover tracking is per instance; call Init() before use.
     /// </summary>
-	uint64_t Ticks() const
+	uint64_t Ticks()
 	{
-        static uint32_t low32, high32;
         uint32_t new_low32 = millis();
-        if (new_low32 < low32) high32++;
-        low32 = new_low32;
-        return (uint64_t) high32 << 32 | low32;
+        if (new_low32 < low32_) high32_++;
+        low32_ = new_low32;
+        return (uint64_t) high32_ << 32 | low32_;
 	}
 
 

src/rtpMIDI_Parser.h

@@ -33,13 +33,13 @@ class rtpMIDIParser
     void debugPrintBuffer(RtpBuffer_t &buffer)
     {
 #ifdef DEBUG
-        for (int i = 0; i < buffer.size(); i++) 
+        for (size_t i = 0; i < buffer.size(); i++) 
         {
             SerialMon.print("  ");
             SerialMon.print(i);
             SerialMon.print(i < 10 ? "  " : " ");
         }
-        for (int i = 0; i < buffer.size(); i++) 
+        for (size_t i = 0; i < buffer.size(); i++) 
         {
             SerialMon.print("0x");
             SerialMon.print(buffer[i] < 16 ? "0" : "");
@@ -169,8 +169,11 @@ class rtpMIDIParser
             cmdCount = 0;
             runningstatus = 0;
 
-            while (i--)
+            while (i > 0)
+            {
                 buffer.pop_front();
+                --i;
+            }
 
             _rtpHeadersComplete = true;
 
@@ -202,7 +205,16 @@ class rtpMIDIParser
                 return parserReturn::NotEnoughData;
             case parserReturn::UnexpectedJournalData:
                 _rtpHeadersComplete = false;
+                _journalSectionComplete = false;
+                _channelJournalSectionComplete = false;
+                _journalTotalChannels = 0;
             default:
+                // Reset all journal state on any non-recoverable error to avoid
+                // leaking partial state into the next packet.
+                _rtpHeadersComplete = false;
+                _journalSectionComplete = false;
+                _channelJournalSectionComplete = false;
+                _journalTotalChannels = 0;
                 return retVal;
             }
         }