Fix SIGABRT on wrong AMR payload

Previously length check have not considered AMR format which requires extra byte for in-band length leading to SIGABRT on incorrect payload from BTS. Change-Id: I800f756fc803accace8c7e0b4a42b3744fe78bb6 Fixes: OS#1731
2016-06-10 17:21:05 +02:00 · 2016-06-10 17:21:05 +02:00 · e152ffe14d
parent b8afb5fda2
commit e152ffe14d
1 changed files with 3 additions and 1 deletions
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@ -163,7 +163,9 @@ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data)
 		return -EINVAL;
 	}

-	if (payload_len > MAX_RTP_PAYLOAD_LEN) {
+	if (payload_len > MAX_RTP_PAYLOAD_LEN ||
+	    (rtph->payload_type == RTP_PT_AMR &&
+	     payload_len > MAX_RTP_PAYLOAD_LEN - 1)) {
 		DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
 			payload_len);
 		return -EINVAL;