From 55033742a17b2561f3c7c5650d6386949a35bbc4 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@gnumonks.org>
Date: Sat, 14 Dec 2013 22:32:09 +0100
Subject: osmux: don't print messages with wrong AMR FT

The AMR FT field is used to infer the length of the payload, if
a value higher than 8 (SID) is received, skip it.

This fixes a possible crash in osmux_snprintf() in case we receive
a malformed osmux header.

This is also addresses the crash described in c733ae5b6e.
---
 src/osmux.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/osmux.c b/src/osmux.c
index 77a04bf..15c2739 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -672,6 +672,12 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg)
 		}
 		osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + msg_off);
 
+		if (!osmo_amr_ft_valid(osmuxh->amr_ft)) {
+			LOGP(DLMIB, LOGL_ERROR, "Bad AMR FT %d, skipping\n",
+			     osmuxh->amr_ft);
+			return -1;
+		}
+
 		ret = osmux_snprintf_header(buf+offset, size, osmuxh);
 		if (ret < 0)
 			break;
-- 
cgit v1.2.3