From a820c5f89d0ea3a7aefd1621d9bf1c9c5a25e8eb Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Fri, 26 Feb 2010 13:32:55 +0100 Subject: [PATCH] [mgcp] Fix two bugs in the protocol handling In case of a wrongly formatted AUEP, CRCX, DLCX, MDCX the transaction id pointer was a dangling pointer... Initialize the transaction id to a static string.. Also fix a off by one bug. We want to extract four elements from the MGCP message and not only 3... So a short AUEP message made it us read too many things. --- openbsc/src/mgcp/mgcp_protocol.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openbsc/src/mgcp/mgcp_protocol.c b/openbsc/src/mgcp/mgcp_protocol.c index 43bddf4a5..0fe33dd23 100644 --- a/openbsc/src/mgcp/mgcp_protocol.c +++ b/openbsc/src/mgcp/mgcp_protocol.c @@ -302,6 +302,8 @@ static int analyze_header(struct mgcp_config *cfg, struct msgb *msg, { int found; + *transaction_id = "000000"; + if (size < 3) { LOGP(DMGCP, LOGL_ERROR, "Not enough space in ptr\n"); return -1; @@ -309,7 +311,7 @@ static int analyze_header(struct mgcp_config *cfg, struct msgb *msg, found = find_msg_pointers(msg, ptr, size); - if (found < 3) { + if (found <= 3) { LOGP(DMGCP, LOGL_ERROR, "Gateway: Not enough params. Found: %d\n", found); return -1; }