Add null-pointer check to osmo_amr_rtp_dec()
Check that RTP payload we're about to decode is not NULL and return
proper error code instead of segfaulting. Add corresponding test case.
Change-Id: Ib6cda9900a41ed16bbfbde9df3de9d38e0a7469b
diff --git a/src/codec/gsm690.c b/src/codec/gsm690.c
index 0f4bf8f..c3cb932 100644
--- a/src/codec/gsm690.c
+++ b/src/codec/gsm690.c
@@ -252,6 +252,9 @@
int8_t *cmi, enum osmo_amr_type *ft,
enum osmo_amr_quality *bfi, int8_t *sti)
{
+ if (payload_len < 2 || !rtppayload)
+ return -EINVAL;
+
/* RFC 4867 § 4.4.2 ToC - compound payloads are not supported: F = 0 */
uint8_t type = (rtppayload[1] >> 3) & 0xf;
@@ -262,9 +265,6 @@
if (payload_len - 2 < amr_len_by_ft[type])
return -ENOTSUP;
- if (payload_len < 2)
- return -EINVAL;
-
if (ft)
*ft = type;
diff --git a/tests/codec/codec_test.c b/tests/codec/codec_test.c
index 5b934b1..f944f38 100644
--- a/tests/codec/codec_test.c
+++ b/tests/codec/codec_test.c
@@ -38,12 +38,17 @@
static void test_sid_dec(const uint8_t *t, size_t len)
{
- uint8_t cmr, tmp[SID_LEN];
+ uint8_t cmr, tmp[SID_LEN], *t2 = NULL;
enum osmo_amr_type ft;
enum osmo_amr_quality bfi;
int8_t sti, cmi;
- memcpy(tmp, t, SID_LEN);
- int rc = osmo_amr_rtp_dec(tmp, len, &cmr, &cmi, &ft, &bfi, &sti);
+ if (t) {
+ memcpy(tmp, t, SID_LEN);
+ t2 = tmp;
+ }
+ int rc = osmo_amr_rtp_dec(t2, len, &cmr, &cmi, &ft, &bfi, &sti);
+ if (rc < 0)
+ return;
printf("[%d] decode RTP %s%s: FT %s, CMR %s, CMI is %d, SID type %s\t",
rc, osmo_hexdump(tmp, len), cmpr(bfi, AMR_GOOD),
get_value_string(osmo_amr_type_names, ft),
@@ -94,6 +99,7 @@
printf("AMR RTP payload decoder test:\n");
test_sid_dec(sid_first, 7);
test_sid_dec(sid_update, 7);
+ test_sid_dec(NULL, 7);
test_amr_rt(0, AMR_NO_DATA, AMR_BAD);
test_amr_rt(0, AMR_NO_DATA, AMR_GOOD);
test_amr_rt(AMR_12_2, AMR_12_2, AMR_BAD);