From 23148b069f095e808dbf39adfa67eda71d690f7a Mon Sep 17 00:00:00 2001
From: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Thu, 12 Apr 2018 15:32:18 +0200
Subject: osmux: osmux_xfrm_output_pull: Improve checks and log of malformed
 packets

Change-Id: I143805bb5ee9f5e3ada46114e380a03ede80df9f
Related: SYS#4182
---
 src/osmux.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/osmux.c b/src/osmux.c
index a0563d2..03db469 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -85,8 +85,13 @@ next:
 		case OSMUX_FT_VOICE_AMR:
 			break;
 		case OSMUX_FT_DUMMY:
-			msgb_pull(msg, osmux_ft_dummy_size(osmuxh->amr_ft,
-							   osmuxh->ctr + 1));
+			len = osmux_ft_dummy_size(osmuxh->amr_ft, osmuxh->ctr + 1);
+			if (msgb_length(msg) < len) {
+				LOGP(DLMUX, LOGL_ERROR, "Discarding bad Dummy FT: %s\n",
+					osmo_hexdump(msg->data, msgb_length(msg)));
+				return NULL;
+			}
+			msgb_pull(msg, len);
 			goto next;
 		default:
 			LOGP(DLMUX, LOGL_ERROR, "Discarding unsupported Osmux FT %d\n",
@@ -102,9 +107,10 @@ next:
 		len = osmo_amr_bytes(osmuxh->amr_ft) * (osmuxh->ctr+1) +
 			sizeof(struct osmux_hdr);
 
-		if (len > msg->len) {
-			LOGP(DLMUX, LOGL_ERROR, "Discarding malformed "
-						"OSMUX message\n");
+		if (msgb_length(msg) < len) {
+			LOGP(DLMUX, LOGL_ERROR,
+				"Discarding malformed OSMUX message: %s\n",
+				osmo_hexdump(msg->data, msgb_length(msg)));
 			return NULL;
 		}
 
-- 
cgit v1.2.3