rtp_proxy: Prevent out-of-bounds read in rtcp_sdes_cname_mangle In rtcp_sdes_cname_mangle when skipping over additional zeroes at the end of a chunk we should not read past the actual message (rtcp_end). Fixes CID #1206579

commit: 5fc4422b4da2ade389fa64d4f5a5f01b8fa116fd [log] [tgz]
author: Daniel Willmann <dwillmann@sysmocom.de> Wed May 21 15:46:43 2014 +0200
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> Thu May 22 14:31:09 2014 +0200
tree: d7490f516ad9963f2156ca4562b7b16d85515b37
parent: 64e68df126c3d2fb4b41b75fc87a735c7b4ff15b [diff]
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 122daf2..1567323 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c

@@ -374,7 +374,7 @@
 			tag = *cur++;
 			if (tag == 0) {
 				/* end of chunk, skip additional zero */
-				while (*cur++ == 0) { }
+				while ((*cur++ == 0) && (cur < rtcp_end)) { }
 				break;
 			}
 			len = *cur++;
commit	5fc4422b4da2ade389fa64d4f5a5f01b8fa116fd	[log] [tgz]
author	Daniel Willmann <dwillmann@sysmocom.de>	Wed May 21 15:46:43 2014 +0200
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	Thu May 22 14:31:09 2014 +0200
tree	d7490f516ad9963f2156ca4562b7b16d85515b37
parent	64e68df126c3d2fb4b41b75fc87a735c7b4ff15b [diff]