rtp_proxy: Prevent out-of-bounds read in rtcp_sdes_cname_mangle
In rtcp_sdes_cname_mangle when skipping over additional zeroes at the
end of a chunk we should not read past the actual message (rtcp_end).
Fixes CID #1206579
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 122daf2..1567323 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -374,7 +374,7 @@
tag = *cur++;
if (tag == 0) {
/* end of chunk, skip additional zero */
- while (*cur++ == 0) { }
+ while ((*cur++ == 0) && (cur < rtcp_end)) { }
break;
}
len = *cur++;