Fix SIGABRT on wrong AMR payload Previously length check have not considered AMR format which requires extra byte for in-band length leading to SIGABRT on incorrect payload from BTS. Change-Id: I800f756fc803accace8c7e0b4a42b3744fe78bb6 Fixes: OS#1731

commit: e152ffe14d1dfe2ffb4892ada5eede6ccb429338 [log] [tgz]
author: Max <msuraev@sysmocom.de> Fri Jun 10 17:21:05 2016 +0200
committer: Harald Welte <laforge@gnumonks.org> Tue Jun 14 10:20:05 2016 +0000
tree: bae02bb9f50202bc2b510d68f77839a266a63ce7
parent: b8afb5fda251be739fdd862054d28b0eedfd85c9 [diff] [blame]
diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 6c04610..ed19175 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c

@@ -163,7 +163,9 @@
 		return -EINVAL;
 	}
 
-	if (payload_len > MAX_RTP_PAYLOAD_LEN) {
+	if (payload_len > MAX_RTP_PAYLOAD_LEN ||
+	    (rtph->payload_type == RTP_PT_AMR &&
+	     payload_len > MAX_RTP_PAYLOAD_LEN - 1)) {
 		DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
 			payload_len);
 		return -EINVAL;
commit	e152ffe14d1dfe2ffb4892ada5eede6ccb429338	[log] [tgz]
author	Max <msuraev@sysmocom.de>	Fri Jun 10 17:21:05 2016 +0200
committer	Harald Welte <laforge@gnumonks.org>	Tue Jun 14 10:20:05 2016 +0000
tree	bae02bb9f50202bc2b510d68f77839a266a63ce7
parent	b8afb5fda251be739fdd862054d28b0eedfd85c9 [diff] [blame]