From 45fcb852369a1acaa2c626e1a1063e9d1f042825 Mon Sep 17 00:00:00 2001 From: Daniel Willmann Date: Wed, 21 May 2014 15:46:43 +0200 Subject: rtp_proxy: Prevent out-of-bounds read in rtcp_sdes_cname_mangle In rtcp_sdes_cname_mangle when skipping over additional zeroes at the end of a chunk we should not read past the actual message (rtcp_end). Fixes CID #1206579 --- openbsc/src/libtrau/rtp_proxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c index 122daf27b..15673234b 100644 --- a/openbsc/src/libtrau/rtp_proxy.c +++ b/openbsc/src/libtrau/rtp_proxy.c @@ -374,7 +374,7 @@ static int rtcp_sdes_cname_mangle(struct msgb *msg, struct rtcp_hdr *rh, tag = *cur++; if (tag == 0) { /* end of chunk, skip additional zero */ - while (*cur++ == 0) { } + while ((*cur++ == 0) && (cur < rtcp_end)) { } break; } len = *cur++; -- cgit v1.2.3