diff options
author | Pablo Neira Ayuso <pablo@gnumonks.org> | 2013-05-24 10:47:50 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@gnumonks.org> | 2013-05-24 10:47:59 +0200 |
commit | 1ee6d39921dbec5d6597295ba40e0f95d1e955fc (patch) | |
tree | 9eac42bf29841f1bb882244a48ad8ac298eafc89 /src | |
parent | b5be2f73e091549e374693c44ba6c33dc4eba521 (diff) |
osmux: add sanity checking in osmux_xfrm_output_pull
Osmux infers the size of the AMR payload from the FT type.
Make sure we get enough data from the network according to
what we expect.
Diffstat (limited to 'src')
-rw-r--r-- | src/osmux.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/src/osmux.c b/src/osmux.c index 87cb652..9438d42 100644 --- a/src/osmux.c +++ b/src/osmux.c @@ -56,10 +56,19 @@ struct osmux_hdr *osmux_xfrm_output_pull(struct msgb *msg) struct osmux_hdr *osmuxh = NULL; if (msg->len > sizeof(struct osmux_hdr)) { + size_t len; + osmuxh = (struct osmux_hdr *)msg->data; + len = osmo_amr_bytes(osmuxh->amr_ft) * (osmuxh->ctr+1) + + sizeof(struct osmux_hdr); + + if (len > msg->len) { + LOGP(DLMIB, LOGL_ERROR, "Discarding malformed " + "OSMUX message\n"); + return NULL; + } - msgb_pull(msg, sizeof(struct osmux_hdr) + - (osmo_amr_bytes(osmuxh->amr_ft) * (osmuxh->ctr+1))); + msgb_pull(msg, len); } else if (msg->len > 0) { LOGP(DLMIB, LOGL_ERROR, "remaining %d bytes, broken osmuxhdr?\n", msg->len); |