From e152ffe14d1dfe2ffb4892ada5eede6ccb429338 Mon Sep 17 00:00:00 2001
From: Max <msuraev@sysmocom.de>
Date: Fri, 10 Jun 2016 17:21:05 +0200
Subject: Fix SIGABRT on wrong AMR payload

Previously length check have not considered AMR format which requires
extra byte for in-band length leading to SIGABRT on incorrect payload
from BTS.

Change-Id: I800f756fc803accace8c7e0b4a42b3744fe78bb6
Fixes: OS#1731
---
 openbsc/src/libtrau/rtp_proxy.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/openbsc/src/libtrau/rtp_proxy.c b/openbsc/src/libtrau/rtp_proxy.c
index 6c0461017..ed1917512 100644
--- a/openbsc/src/libtrau/rtp_proxy.c
+++ b/openbsc/src/libtrau/rtp_proxy.c
@@ -163,7 +163,9 @@ static int rtp_decode(struct msgb *msg, uint32_t callref, struct msgb **data)
 		return -EINVAL;
 	}
 
-	if (payload_len > MAX_RTP_PAYLOAD_LEN) {
+	if (payload_len > MAX_RTP_PAYLOAD_LEN ||
+	    (rtph->payload_type == RTP_PT_AMR &&
+	     payload_len > MAX_RTP_PAYLOAD_LEN - 1)) {
 		DEBUGPC(DLMUX, "RTP payload too large (%d octets)\n",
 			payload_len);
 		return -EINVAL;
-- 
cgit v1.2.3