summaryrefslogtreecommitdiffstats
path: root/openbsc/src/libtrau
diff options
context:
space:
mode:
authorDaniel Willmann <dwillmann@sysmocom.de>2014-05-21 15:46:43 +0200
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-05-22 14:31:09 +0200
commit45fcb852369a1acaa2c626e1a1063e9d1f042825 (patch)
treed7490f516ad9963f2156ca4562b7b16d85515b37 /openbsc/src/libtrau
parenta4c63b0cdba82a453875d9208d9dad0b9b530d56 (diff)
rtp_proxy: Prevent out-of-bounds read in rtcp_sdes_cname_mangle
In rtcp_sdes_cname_mangle when skipping over additional zeroes at the end of a chunk we should not read past the actual message (rtcp_end). Fixes CID #1206579
Diffstat (limited to 'openbsc/src/libtrau')
-rw-r--r--openbsc/src/libtrau/rtp_proxy.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 122daf2..1567323 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -374,7 +374,7 @@ static int rtcp_sdes_cname_mangle(struct msgb *msg, struct rtcp_hdr *rh,
tag = *cur++;
if (tag == 0) {
/* end of chunk, skip additional zero */
- while (*cur++ == 0) { }
+ while ((*cur++ == 0) && (cur < rtcp_end)) { }
break;
}
len = *cur++;