From 34caf230c9e8e388b35c642a885c3dc7bddeee77 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Mon, 28 Dec 2015 21:03:10 +0100 Subject: rtp_proxy.c: Ensure msgb_alloc is large enough for largest AMR frame In AMR 12.2 (mode 7), the actual RTP payload is 33 bytes. Howeerver, as we store the length of the (dynamically-sized) AMR payload in the first byte, our buffer needs at least 33+1 byte in size. --- openbsc/src/libtrau/rtp_proxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c index 8c982c976..6c0461017 100644 --- a/openbsc/src/libtrau/rtp_proxy.c +++ b/openbsc/src/libtrau/rtp_proxy.c @@ -172,7 +172,7 @@ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data) /* always allocate for the maximum possible size to avoid * fragmentation */ new_msg = msgb_alloc(sizeof(struct gsm_data_frame) + - MAX_RTP_PAYLOAD_LEN, "GSM-DATA (TCH)"); + MAX_RTP_PAYLOAD_LEN+1, "GSM-DATA (TCH)"); if (!new_msg) return -ENOMEM; -- cgit v1.2.3