In rtcp_sdes_cname_mangle when skipping over additional zeroes at the end of a chunk we should not read past the actual message (rtcp_end).
Fixes CID #1206579 --- openbsc/src/libtrau/rtp_proxy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c index 122daf2..1567323 100644 --- a/openbsc/src/libtrau/rtp_proxy.c +++ b/openbsc/src/libtrau/rtp_proxy.c @@ -374,7 +374,7 @@ static int rtcp_sdes_cname_mangle(struct msgb *msg, struct rtcp_hdr *rh, tag = *cur++; if (tag == 0) { /* end of chunk, skip additional zero */ - while (*cur++ == 0) { } + while ((*cur++ == 0) && (cur < rtcp_end)) { } break; } len = *cur++;
Fixes CIDs #1206577, #1206578 --- openbsc/src/osmo-nitb/bsc_hack.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/osmo-nitb/bsc_hack.c b/openbsc/src/osmo-nitb/bsc_hack.c index 61141fd..3307bc6 100644 --- a/openbsc/src/osmo-nitb/bsc_hack.c +++ b/openbsc/src/osmo-nitb/bsc_hack.c @@ -148,10 +148,10 @@ static void handle_options(int argc, char **argv) daemonize = 1; break; case 'l': - database_name = strdup(optarg); + database_name = optarg; break; case 'c': - config_file = strdup(optarg); + config_file = optarg; break; case 'p': create_pcap_file(optarg);
-
Daniel Willmann