From 3876bddda6fefe65accd9badfdf6eba45117f913 Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Tue, 2 Apr 2024 15:56:42 -0400 Subject: [PATCH] MT#55283 fix array out of bounds access The PT index can be -1 or -2. Ignore RTP stats in this case. fixes #1814 Change-Id: Ifdcdbccad592fd1a27d2b31359861ecb3e725546 --- kernel-module/xt_RTPENGINE.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel-module/xt_RTPENGINE.c b/kernel-module/xt_RTPENGINE.c index 756124ac6b..f67bef5321 100644 --- a/kernel-module/xt_RTPENGINE.c +++ b/kernel-module/xt_RTPENGINE.c @@ -5310,7 +5310,7 @@ static unsigned int rtpengine46(struct sk_buff *skb, struct sk_buff *oskb, skb_trim(skb, rtp.header_len + rtp.payload_len); - if (g->target.rtp_stats && ssrc_idx != -1) + if (g->target.rtp_stats && ssrc_idx != -1 && rtp_pt_idx >= 0) rtp_stats(g, &rtp, ktime_to_us(skb->tstamp), rtp_pt_idx, ssrc_idx); DBG("packet payload decrypted as %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x...\n",