fixeria submitted this change.
2 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted one.
l1sap: prevent buffer overflow in l1sap_rtp_rx_cb()
Change-Id: I214070ecf7458202922475505a8747950bedf930
Fixes: d1f8f3429 "l1sap: proper rate adaptation for CSD"
---
M src/common/l1sap.c
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index 5a900f8..63be237 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -2460,7 +2460,9 @@
OSMO_ASSERT(0);
}
- msg = l1sap_msgb_alloc(512);
+#define L1SAP_MSGB_L2LEN_TCH 512
+
+ msg = l1sap_msgb_alloc(L1SAP_MSGB_L2LEN_TCH);
if (!msg)
return;
@@ -2479,6 +2481,12 @@
return;
}
} else {
+ if (OSMO_UNLIKELY(rtp_pl_len > L1SAP_MSGB_L2LEN_TCH)) {
+ LOGPLCHAN(lchan, DL1P, LOGL_ERROR,
+ "%s(): incoming RTP truncated: %u -> %u\n",
+ __func__, rtp_pl_len, L1SAP_MSGB_L2LEN_TCH);
+ rtp_pl_len = L1SAP_MSGB_L2LEN_TCH; /* truncate */
+ }
memcpy(msgb_put(msg, rtp_pl_len), rtp_pl, rtp_pl_len);
}
To view, visit change 38313. To unsubscribe, or for help writing mail filters, visit settings.