aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@gnumonks.org>2013-12-14 22:32:09 +0100
committerPablo Neira Ayuso <pablo@gnumonks.org>2013-12-14 22:36:00 +0100
commit55033742a17b2561f3c7c5650d6386949a35bbc4 (patch)
tree3cf5659707d8ffc75a6eb973013f4ea73b05fe24 /src
parentc733ae5b6e7834bec9882d787da7f6c52ff0f4a3 (diff)
osmux: don't print messages with wrong AMR FT
The AMR FT field is used to infer the length of the payload, if a value higher than 8 (SID) is received, skip it. This fixes a possible crash in osmux_snprintf() in case we receive a malformed osmux header. This is also addresses the crash described in c733ae5b6e.
Diffstat (limited to 'src')
-rw-r--r--src/osmux.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/osmux.c b/src/osmux.c
index 77a04bf..15c2739 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -672,6 +672,12 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
}
osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + msg_off);
+ if (!osmo_amr_ft_valid(osmuxh->amr_ft)) {
+ LOGP(DLMIB, LOGL_ERROR, "Bad AMR FT %d, skipping\n",
+ osmuxh->amr_ft);
+ return -1;
+ }
+
ret = osmux_snprintf_header(buf+offset, size, osmuxh);
if (ret < 0)
break;