Patch Set 3: (1 comment)
https://gerrit.osmocom.org/#/c/3537/3/src/osmux.c File src/osmux.c: Line 918: SNPRINTF_BUFFER_SIZE(ret, buf_offset, size); > I have no idea if the code initially fetching the AMR size from RTP is doin OK, I'm reviewing this function. It seems this check is not working. if (msg_len < sizeof(struct osmux_hdr)) msg_len is int, while sizeof is unsigned. C takes the left hand side of the relational as unsigned, so this branch never evaluates true. Then, we start accessing out of bound memory area. -- To view, visit https://gerrit.osmocom.org/3537 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I695771d099833842db37a415b636035d17f1bba7 Gerrit-PatchSet: 3 Gerrit-Project: libosmo-netif Gerrit-Branch: master Gerrit-Owner: Pau Espin Pedrol <pes...@sysmocom.de> Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org> Gerrit-Reviewer: Holger Freyther <hol...@freyther.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Neels Hofmeyr <nhofm...@sysmocom.de> Gerrit-Reviewer: Pablo Neira Ayuso <pa...@gnumonks.org> Gerrit-Reviewer: Pau Espin Pedrol <pes...@sysmocom.de> Gerrit-HasComments: Yes
