From a51332f675f9505cc7f3735017d0eb86386319a0 Mon Sep 17 00:00:00 2001
From: Donat Zenichev <dzenichev@sipwise.com>
Date: Wed, 24 Jun 2026 18:23:07 +0200
Subject: [PATCH] MT#61856 media_socket: `extmap_short_is_valid_data()` no 0
 len

Currently the helper accepts 0 length, but callers actually
can try to mutate it with `- 1` what means overflowing it.
e.g. `extmap_short_is_valid_data()` has a bitwise operation
including length `(id << 4) | (ext->len - 1)`

Change-Id: I74f7fa134355059b18ba8c2b4e671c735324bdb7
---
 daemon/media_socket.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/daemon/media_socket.c b/daemon/media_socket.c
index c0fbd8369..bf8458832 100644
--- a/daemon/media_socket.c
+++ b/daemon/media_socket.c
@@ -2307,6 +2307,8 @@ static bool extmap_short_is_valid_data(unsigned int id, size_t len) {
 	// valid ranges for short form?
 	if (id <= 0 || id >= 15)
 		return false;
+	if (len == 0)
+		return false;
 	if (len > 16)
 		return false;
 	return true;