From 7b37afba337c1eb64b32d99400121700e8e7a61c Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 27 Aug 2013 17:15:27 +0200 Subject: osmux: sanity check too big RTP/RTCP messages as input Holger spotted that the caller may loop forever in case it receives big RTP/RCTP packets, that are likely to be spoofed. --- src/osmux.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/osmux.c b/src/osmux.c index 3a1142d..34f4422 100644 --- a/src/osmux.c +++ b/src/osmux.c @@ -464,6 +464,12 @@ int osmux_xfrm_input(struct osmux_in_handle *h, struct msgb *msg, int ccid) struct rtp_hdr *rtph; struct osmux_batch *batch = (struct osmux_batch *)h->internal_data; + /* Ignore too big RTP/RTCP messages, most likely forged. Sanity check + * to avoid a possible forever loop in the caller. + */ + if (msg->len > OSMUX_BATCH_MAX - sizeof(struct osmux_hdr)) + return 1; + rtph = osmo_rtp_get_hdr(msg); if (rtph == NULL) return 0; -- cgit v1.2.3