From 871cbd3ea56485fe60ac88634c1ef2c887c0d5c2 Mon Sep 17 00:00:00 2001 From: Alexander Chemeris Date: Tue, 24 Nov 2015 21:28:58 -0500 Subject: rtp_proxy: Fix out of bound access when AMR is enabled. One extra byte is used for the AMR frame size, which was not accounted for. --- openbsc/src/libtrau/rtp_proxy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c index eea70bca6..3a462d838 100644 --- a/openbsc/src/libtrau/rtp_proxy.c +++ b/openbsc/src/libtrau/rtp_proxy.c @@ -64,8 +64,10 @@ enum rtp_bfd_priv { #define RTP_VERSION 2 -/* 33 for FR, all other codecs have smaller size */ -#define MAX_RTP_PAYLOAD_LEN 33 +/* 33 bytes for FR and AMR mode 7, all other codecs have smaller size. + Plus we need 1 byte for size of AMR frames + 34 bytes total */ +#define MAX_RTP_PAYLOAD_LEN 34 /* decode an rtp frame and create a new buffer with payload */ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data, int msg_type) -- cgit v1.2.3