[1/2] rtp_proxy: Prevent out-of-bounds read in rtcp_sdes_cname_mangle
diff mbox

Message ID 8c86d1c494e52a507b63eda0f42fbc9288a9d27c.1400680004.git.daniel@totalueberwachung.de
State Accepted
Headers show

Commit Message

Daniel Willmann May 21, 2014, 1:46 p.m. UTC
In rtcp_sdes_cname_mangle when skipping over additional zeroes at the
end of a chunk we should not read past the actual message (rtcp_end).

Fixes CID #1206579
---
 openbsc/src/libtrau/rtp_proxy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Patch
diff mbox

diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 122daf2..1567323 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -374,7 +374,7 @@  static int rtcp_sdes_cname_mangle(struct msgb *msg, struct rtcp_hdr *rh,
 			tag = *cur++;
 			if (tag == 0) {
 				/* end of chunk, skip additional zero */
-				while (*cur++ == 0) { }
+				while ((*cur++ == 0) && (cur < rtcp_end)) { }
 				break;
 			}
 			len = *cur++;