From dc898ab983815cb03bb2bc481d9ddff34756823b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 16 Dec 2013 13:04:27 +0100 Subject: osmux: don't trust AMR FT field Sanity check that that we have enough bytes in the AMR payload for this frame-type. --- src/osmux.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/osmux.c b/src/osmux.c index b9edf38..077c3b7 100644 --- a/src/osmux.c +++ b/src/osmux.c @@ -413,7 +413,7 @@ osmux_batch_add(struct osmux_batch *batch, struct msgb *msg, struct rtp_hdr *rtph, int ccid) { struct batch_list_node *node; - int found = 0, bytes = 0, amr_payload_len; + int found = 0, bytes = 0, amr_payload_len, real_plen; llist_for_each_entry(node, &batch->node_list, head) { if (node->ccid == ccid) { @@ -426,6 +426,14 @@ osmux_batch_add(struct osmux_batch *batch, struct msgb *msg, if (amr_payload_len < 0) return 0; + real_plen = msg->len - sizeof(struct rtp_hdr) - sizeof(struct amr_hdr); + /* The AMR payload does not fit with what we expect */ + if (amr_payload_len != real_plen) { + LOGP(DLMIB, LOGL_DEBUG, "adding msg with ssrc=%u to batch\n", + rtph->ssrc); + return 0; + } + /* First check if there is room for this message in the batch */ bytes += amr_payload_len; if (!found) -- cgit v1.2.3