Fix SIGABRT on wrong AMR payload
Previously length check have not considered AMR format which requires
extra byte for in-band length leading to SIGABRT on incorrect payload
from BTS.
Change-Id: I800f756fc803accace8c7e0b4a42b3744fe78bb6
Fixes: OS#1731
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 6c04610..ed19175 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -163,7 +163,9 @@
return -EINVAL;
}
- if (payload_len > MAX_RTP_PAYLOAD_LEN) {
+ if (payload_len > MAX_RTP_PAYLOAD_LEN ||
+ (rtph->payload_type == RTP_PT_AMR &&
+ payload_len > MAX_RTP_PAYLOAD_LEN - 1)) {
DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
payload_len);
return -EINVAL;