diff options
author | Pablo Neira Ayuso <pablo@gnumonks.org> | 2013-08-27 17:15:27 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@gnumonks.org> | 2013-08-27 17:15:27 +0200 |
commit | 7b37afba337c1eb64b32d99400121700e8e7a61c (patch) | |
tree | 1570871297f272b3664e7ccc182b595313f7b679 | |
parent | ce4bc15a9c43e446257cec723257e51eee965176 (diff) |
osmux: sanity check too big RTP/RTCP messages as input
Holger spotted that the caller may loop forever in case it receives
big RTP/RCTP packets, that are likely to be spoofed.
-rw-r--r-- | src/osmux.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/osmux.c b/src/osmux.c index 3a1142d..34f4422 100644 --- a/src/osmux.c +++ b/src/osmux.c @@ -464,6 +464,12 @@ int osmux_xfrm_input(struct osmux_in_handle *h, struct msgb *msg, int ccid) struct rtp_hdr *rtph; struct osmux_batch *batch = (struct osmux_batch *)h->internal_data; + /* Ignore too big RTP/RTCP messages, most likely forged. Sanity check + * to avoid a possible forever loop in the caller. + */ + if (msg->len > OSMUX_BATCH_MAX - sizeof(struct osmux_hdr)) + return 1; + rtph = osmo_rtp_get_hdr(msg); if (rtph == NULL) return 0; |