aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Chemeris <Alexander.Chemeris@gmail.com>2015-11-24 21:28:58 -0500
committerAlexander Chemeris <Alexander.Chemeris@gmail.com>2015-11-24 21:28:58 -0500
commit871cbd3ea56485fe60ac88634c1ef2c887c0d5c2 (patch)
tree2af2f3a67d9e629430d5ff218c35b62cefb3b159
parentb8e04d4041c1805e161bd17dbf846293457dccea (diff)
rtp_proxy: Fix out of bound access when AMR is enabled.fairwaves/dynamic-rtp-pt-fix
One extra byte is used for the AMR frame size, which was not accounted for.
-rw-r--r--openbsc/src/libtrau/rtp_proxy.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index eea70bca6..3a462d838 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -64,8 +64,10 @@ enum rtp_bfd_priv {
#define RTP_VERSION 2
-/* 33 for FR, all other codecs have smaller size */
-#define MAX_RTP_PAYLOAD_LEN 33
+/* 33 bytes for FR and AMR mode 7, all other codecs have smaller size.
+ Plus we need 1 byte for size of AMR frames
+ 34 bytes total */
+#define MAX_RTP_PAYLOAD_LEN 34
/* decode an rtp frame and create a new buffer with payload */
static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data, int msg_type)