From 398f74571b80b7e0f3a74bdb6d6e1a764393982d Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 15 May 2026 10:45:14 +0200
Subject: [PATCH] module: check packet size for CK messages

Check that the CK packet is large enough before we start reading its
contents.
---
 src/modules/module-rtp-session.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/modules/module-rtp-session.c b/src/modules/module-rtp-session.c
index a82731120..4374f64b5 100644
--- a/src/modules/module-rtp-session.c
+++ b/src/modules/module-rtp-session.c
@@ -727,9 +727,6 @@ static void parse_apple_midi_cmd_in(struct impl *impl, bool ctrl, uint8_t *buffe
 	char addr[128];
 	uint16_t port = 0;
 
-	if ((size_t)len < sizeof(*hdr))
-		return;
-
 	initiator = ntohl(hdr->initiator);
 	ssrc = ntohl(hdr->ssrc);
 
@@ -868,9 +865,14 @@ static void parse_apple_midi_cmd_ck(struct impl *impl, bool ctrl, uint8_t *buffe
 	struct rtp_apple_midi_ck reply;
 	struct session *sess;
 	uint64_t ts, t1, t2, t3;
-	uint32_t ssrc = ntohl(hdr->ssrc);
+	uint32_t ssrc;
 	struct timespec now;
 
+	if ((size_t)len < sizeof(*hdr))
+		return;
+
+	ssrc = ntohl(hdr->ssrc);
+
 	sess = find_session_by_ssrc(impl, ssrc);
 	if (sess == NULL) {
 		pw_log_warn("unknown SSRC %u", ssrc);