From patchwork Wed May 21 13:46:43 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Willmann <dwillmann@sysmocom.de>
X-Patchwork-Id: 351197
Return-Path: <openbsc-bounces@lists.osmocom.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ganesha.gnumonks.org (ganesha.gnumonks.org
	[IPv6:2001:780:45:1d:225:90ff:fe52:c662])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id C6480140076
	for <incoming@patchwork.ozlabs.org>;
	Wed, 21 May 2014 23:47:42 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=ganesha.gnumonks.org)
	by ganesha.gnumonks.org with esmtp (Exim 4.72)
	(envelope-from <openbsc-bounces@lists.osmocom.org>)
	id 1Wn6ri-00056i-8l; Wed, 21 May 2014 15:47:30 +0200
Received: from isonoe.totalueberwachung.de ([2a01:198:210:100::1])
	by ganesha.gnumonks.org with esmtps
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72)
	(envelope-from <alphaone@totalueberwachung.de>) id 1Wn6rK-00056T-B6
	for openbsc@lists.osmocom.org; Wed, 21 May 2014 15:47:12 +0200
Received: from adrastea.totalueberwachung.de
	(24-134-58-61-dynip.superkabel.de [24.134.58.61])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by isonoe.totalueberwachung.de (Postfix) with ESMTPSA id AE8E660055;
	Wed, 21 May 2014 15:47:05 +0200 (CEST)
Received: by adrastea.totalueberwachung.de (Postfix, from userid 1000)
	id C7586220D7; Wed, 21 May 2014 15:47:02 +0200 (CEST)
From: Daniel Willmann <dwillmann@sysmocom.de>
To: OpenBSC Mailing List <openbsc@lists.osmocom.org>
Subject: [openbsc 1/2] rtp_proxy: Prevent out-of-bounds read in
	rtcp_sdes_cname_mangle
Date: Wed, 21 May 2014 15:46:43 +0200
Message-Id: 
 <8c86d1c494e52a507b63eda0f42fbc9288a9d27c.1400680004.git.daniel@totalueberwachung.de>
X-Mailer: git-send-email 1.8.4.2
X-Spam-Score: -0.0 (/)
Cc: Daniel Willmann <dwillmann@sysmocom.de>
X-BeenThere: openbsc@lists.osmocom.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development of the OpenBSC GSM base station controller
	<openbsc.lists.osmocom.org>
List-Unsubscribe: <https://lists.osmocom.org/mailman/options/openbsc>,
	<mailto:openbsc-request@lists.osmocom.org?subject=unsubscribe>
List-Archive: <http://lists.osmocom.org/pipermail/openbsc>
List-Post: <mailto:openbsc@lists.osmocom.org>
List-Help: <mailto:openbsc-request@lists.osmocom.org?subject=help>
List-Subscribe: <https://lists.osmocom.org/mailman/listinfo/openbsc>,
	<mailto:openbsc-request@lists.osmocom.org?subject=subscribe>
Sender: openbsc-bounces@lists.osmocom.org
Errors-To: openbsc-bounces@lists.osmocom.org

In rtcp_sdes_cname_mangle when skipping over additional zeroes at the
end of a chunk we should not read past the actual message (rtcp_end).

Fixes CID #1206579
---
 openbsc/src/libtrau/rtp_proxy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 122daf2..1567323 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -374,7 +374,7 @@ static int rtcp_sdes_cname_mangle(struct msgb *msg, struct rtcp_hdr *rh,
 			tag = *cur++;
 			if (tag == 0) {
 				/* end of chunk, skip additional zero */
-				while (*cur++ == 0) { }
+				while ((*cur++ == 0) && (cur < rtcp_end)) { }
 				break;
 			}
 			len = *cur++;