diff options
author | Alexander Chemeris <Alexander.Chemeris@gmail.com> | 2015-11-24 21:28:58 -0500 |
---|---|---|
committer | Alexander Chemeris <Alexander.Chemeris@gmail.com> | 2015-11-24 21:28:58 -0500 |
commit | 871cbd3ea56485fe60ac88634c1ef2c887c0d5c2 (patch) | |
tree | 2af2f3a67d9e629430d5ff218c35b62cefb3b159 | |
parent | b8e04d4041c1805e161bd17dbf846293457dccea (diff) |
rtp_proxy: Fix out of bound access when AMR is enabled.fairwaves/dynamic-rtp-pt-fix
One extra byte is used for the AMR frame size, which was not accounted for.
-rw-r--r-- | openbsc/src/libtrau/rtp_proxy.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c index eea70bca6..3a462d838 100644 --- a/openbsc/src/libtrau/rtp_proxy.c +++ b/openbsc/src/libtrau/rtp_proxy.c @@ -64,8 +64,10 @@ enum rtp_bfd_priv { #define RTP_VERSION 2 -/* 33 for FR, all other codecs have smaller size */ -#define MAX_RTP_PAYLOAD_LEN 33 +/* 33 bytes for FR and AMR mode 7, all other codecs have smaller size. + Plus we need 1 byte for size of AMR frames + 34 bytes total */ +#define MAX_RTP_PAYLOAD_LEN 34 /* decode an rtp frame and create a new buffer with payload */ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data, int msg_type) |