osmux: add sanity checking in osmux_xfrm_output_pull

Osmux infers the size of the AMR payload from the FT type. Make sure we get enough data from the network according to what we expect.
author: Pablo Neira Ayuso <pablo@gnumonks.org> 2013-05-24 10:47:50 +0200
committer: Pablo Neira Ayuso <pablo@gnumonks.org> 2013-05-24 10:47:59 +0200
commit: 1ee6d39921dbec5d6597295ba40e0f95d1e955fc (patch)
tree: 9eac42bf29841f1bb882244a48ad8ac298eafc89 /src
parent: b5be2f73e091549e374693c44ba6c33dc4eba521 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/src/osmux.c b/src/osmux.c
index 87cb652..9438d42 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -56,10 +56,19 @@ struct osmux_hdr *osmux_xfrm_output_pull(struct msgb *msg)
 	struct osmux_hdr *osmuxh = NULL;
 
 	if (msg->len > sizeof(struct osmux_hdr)) {
+		size_t len;
+
 		osmuxh = (struct osmux_hdr *)msg->data;
+		len = osmo_amr_bytes(osmuxh->amr_ft) * (osmuxh->ctr+1) +
+			sizeof(struct osmux_hdr);
+
+		if (len > msg->len) {
+			LOGP(DLMIB, LOGL_ERROR, "Discarding malformed "
+						"OSMUX message\n");
+			return NULL;
+		}
 
-		msgb_pull(msg, sizeof(struct osmux_hdr) +
-			  (osmo_amr_bytes(osmuxh->amr_ft) * (osmuxh->ctr+1)));
+		msgb_pull(msg, len);
 	} else if (msg->len > 0) {
 		LOGP(DLMIB, LOGL_ERROR,
 			"remaining %d bytes, broken osmuxhdr?\n", msg->len);
author	Pablo Neira Ayuso <pablo@gnumonks.org>	2013-05-24 10:47:50 +0200
committer	Pablo Neira Ayuso <pablo@gnumonks.org>	2013-05-24 10:47:59 +0200
commit	1ee6d39921dbec5d6597295ba40e0f95d1e955fc (patch)
tree	9eac42bf29841f1bb882244a48ad8ac298eafc89 /src
parent	b5be2f73e091549e374693c44ba6c33dc4eba521 (diff)