From: Dragos Oancea <dragos@signalwire.com>
Date: Tue, 2 Apr 2019 20:10:22 +0000 (+0000)
Subject: FS-11751: process_rtcp_packet() bounds check
X-Git-Tag: v1.8.6~1^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=32de076b18c17a313fe310f0ca40ea6fb3dd7c81;p=thirdparty%2Ffreeswitch.git

FS-11751: process_rtcp_packet() bounds check
---

diff --git a/src/switch_rtp.c b/src/switch_rtp.c
index 1707cee6ec..15adc72a57 100644
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -6848,6 +6848,9 @@ static switch_status_t process_rtcp_packet(switch_rtp_t *rtp_session, switch_siz
 	switch_status_t status = SWITCH_STATUS_FALSE;
 	rtcp_msg_t *msg = rtp_session->rtcp_recv_msg_p;
 
+	if (remain < sizeof(switch_rtcp_ext_hdr_t) || remain > sizeof(rtcp_msg_t)) {
+		return status;
+	}
 	if (msg->header.version != 2) {
 		if (msg->header.version == 0) {
 			if (rtp_session->ice.ice_user) {