aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMax <msuraev@sysmocom.de>2016-06-10 17:21:05 +0200
committerHarald Welte <laforge@gnumonks.org>2016-06-14 10:20:05 +0000
commite152ffe14d1dfe2ffb4892ada5eede6ccb429338 (patch)
treebae02bb9f50202bc2b510d68f77839a266a63ce7
parentb8afb5fda251be739fdd862054d28b0eedfd85c9 (diff)
Fix SIGABRT on wrong AMR payload
Previously length check have not considered AMR format which requires extra byte for in-band length leading to SIGABRT on incorrect payload from BTS. Change-Id: I800f756fc803accace8c7e0b4a42b3744fe78bb6 Fixes: OS#1731
-rw-r--r--openbsc/src/libtrau/rtp_proxy.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 6c0461017..ed1917512 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -163,7 +163,9 @@ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data)
return -EINVAL;
}
- if (payload_len > MAX_RTP_PAYLOAD_LEN) {
+ if (payload_len > MAX_RTP_PAYLOAD_LEN ||
+ (rtph->payload_type == RTP_PT_AMR &&
+ payload_len > MAX_RTP_PAYLOAD_LEN - 1)) {
DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
payload_len);
return -EINVAL;