diff --git a/src/modules/module-avb/acmp-cmds-resps/acmp-milan-v12.c b/src/modules/module-avb/acmp-cmds-resps/acmp-milan-v12.c index ecda0bf05..7d4f56f87 100644 --- a/src/modules/module-avb/acmp-cmds-resps/acmp-milan-v12.c +++ b/src/modules/module-avb/acmp-cmds-resps/acmp-milan-v12.c @@ -154,8 +154,8 @@ static struct acmp_lt_timers *acmp_lt_add_timer_milan_v12(struct acmp_milan_v12 if (tmr == NULL) return NULL; if (m) { - memcpy(tmr->saved_packet, m, len); - tmr->saved_packet_len = len; + tmr->saved_packet_len = SPA_MIN(len, sizeof(tmr->saved_packet)); + memcpy(tmr->saved_packet, m, tmr->saved_packet_len); } tmr->timeout = timeout; diff --git a/src/modules/module-avb/adp.c b/src/modules/module-avb/adp.c index 1126ec7b4..c3481bb00 100644 --- a/src/modules/module-avb/adp.c +++ b/src/modules/module-avb/adp.c @@ -153,8 +153,8 @@ static int adp_message(void *data, uint64_t now, const void *message, int len) if (e == NULL) return -errno; - memcpy(e->buf, message, len); - e->len = len; + e->len = SPA_MIN((size_t)len, sizeof(e->buf)); + memcpy(e->buf, message, e->len); e->valid_time = AVB_PACKET_ADP_GET_VALID_TIME(p); e->entity_id = entity_id; spa_list_append(&adp->entities, &e->link); @@ -199,7 +199,8 @@ static int adp_message(void *data, uint64_t now, const void *message, int len) } } - memcpy(e->buf, message, len); + e->len = SPA_MIN((size_t)len, sizeof(e->buf)); + memcpy(e->buf, message, e->len); } } e->last_time = now; diff --git a/src/modules/module-avb/stream.c b/src/modules/module-avb/stream.c index 0cbae95ee..c50aefa71 100644 --- a/src/modules/module-avb/stream.c +++ b/src/modules/module-avb/stream.c @@ -760,6 +760,8 @@ static void handle_aaf_packet(struct stream *stream, filled = spa_ringbuffer_get_write_index(&stream->ring, &index); n_bytes = ntohs(p->data_len); + if (n_bytes > (uint32_t)(len - (int)sizeof(*p))) + return; /* IEEE 1722.1 Section 7.4.42 / Milan Section 5.4.5.3: FRAMES_RX counts every valid * AVTPDU received on the wire — independent of whether the listener