diff options
author | Pablo Neira Ayuso <pablo@gnumonks.org> | 2013-12-14 22:32:09 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@gnumonks.org> | 2013-12-14 22:36:00 +0100 |
commit | 55033742a17b2561f3c7c5650d6386949a35bbc4 (patch) | |
tree | 3cf5659707d8ffc75a6eb973013f4ea73b05fe24 /src/osmux.c | |
parent | c733ae5b6e7834bec9882d787da7f6c52ff0f4a3 (diff) |
osmux: don't print messages with wrong AMR FT
The AMR FT field is used to infer the length of the payload, if
a value higher than 8 (SID) is received, skip it.
This fixes a possible crash in osmux_snprintf() in case we receive
a malformed osmux header.
This is also addresses the crash described in c733ae5b6e.
Diffstat (limited to 'src/osmux.c')
-rw-r--r-- | src/osmux.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/osmux.c b/src/osmux.c index 77a04bf..15c2739 100644 --- a/src/osmux.c +++ b/src/osmux.c @@ -672,6 +672,12 @@ int osmux_snprintf(char *buf, size_t size, struct msgb *msg) } osmuxh = (struct osmux_hdr *)((uint8_t *)msg->data + msg_off); + if (!osmo_amr_ft_valid(osmuxh->amr_ft)) { + LOGP(DLMIB, LOGL_ERROR, "Bad AMR FT %d, skipping\n", + osmuxh->amr_ft); + return -1; + } + ret = osmux_snprintf_header(buf+offset, size, osmuxh); if (ret < 0) break; |