In rtcp_sdes_cname_mangle when skipping over additional zeroes at the
end of a chunk we should not read past the actual message (rtcp_end).
Fixes CID #1206579
---
openbsc/src/libtrau/rtp_proxy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 122daf2..1567323 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -374,7 +374,7 @@ static int rtcp_sdes_cname_mangle(struct msgb *msg, struct rtcp_hdr
*rh,
tag = *cur++;
if (tag == 0) {
/* end of chunk, skip additional zero */
- while (*cur++ == 0) { }
+ while ((*cur++ == 0) && (cur < rtcp_end)) { }
break;
}
len = *cur++;
--
1.8.4.2
Show replies by date
Fixes CIDs #1206577, #1206578
---
openbsc/src/osmo-nitb/bsc_hack.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/osmo-nitb/bsc_hack.c b/openbsc/src/osmo-nitb/bsc_hack.c
index 61141fd..3307bc6 100644
--- a/openbsc/src/osmo-nitb/bsc_hack.c
+++ b/openbsc/src/osmo-nitb/bsc_hack.c
@@ -148,10 +148,10 @@ static void handle_options(int argc, char **argv)
daemonize = 1;
break;
case 'l':
- database_name = strdup(optarg);
+ database_name = optarg;
break;
case 'c':
- config_file = strdup(optarg);
+ config_file = optarg;
break;
case 'p':
create_pcap_file(optarg);
--
1.8.4.2