aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@soleta.eu>2014-08-28 20:18:19 +0200
committerPablo Neira Ayuso <pablo@soleta.eu>2014-08-28 20:19:13 +0200
commit9de1521ca977c6df7718a64bb82530500141b712 (patch)
tree319ad24a83be9a54e49a00f191189ba0cfd37778
parentc7f110fe73cda7977477490c8b2e63d18dfd659d (diff)
osmux: fix more leaks in osmux_xfrm_input() in the error path
Return 0 to the caller, which believes that we have put the message in the batch. But if it is malformed, silently release it.
-rw-r--r--src/osmux.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/osmux.c b/src/osmux.c
index 828ed3b..4affd23 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -528,6 +528,9 @@ osmux_batch_add(struct osmux_batch *batch, struct msgb *msg,
* If 0 is returned, this indicates that the message has been batched or that
* an error occured and we have skipped the message. If 1 is returned, you
* have to invoke osmux_xfrm_input_deliver and try again.
+ *
+ * The function takes care of releasing the messages in case of error and
+ * when building the batch.
*/
int osmux_xfrm_input(struct osmux_in_handle *h, struct msgb *msg, int ccid)
{
@@ -538,15 +541,20 @@ int osmux_xfrm_input(struct osmux_in_handle *h, struct msgb *msg, int ccid)
/* Ignore too big RTP/RTCP messages, most likely forged. Sanity check
* to avoid a possible forever loop in the caller.
*/
- if (msg->len > h->batch_size - sizeof(struct osmux_hdr))
+ if (msg->len > h->batch_size - sizeof(struct osmux_hdr)) {
+ msgb_free(msg);
return 0;
+ }
rtph = osmo_rtp_get_hdr(msg);
- if (rtph == NULL)
+ if (rtph == NULL) {
+ msgb_free(msg);
return 0;
+ }
switch(rtph->payload_type) {
case RTP_PT_RTCP:
+ msgb_free(msg);
return 0;
default:
/* The RTP payload type is dynamically allocated,