]> git.ipfire.org Git - thirdparty/freeswitch.git/commitdiff
projects / thirdparty / freeswitch.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 711e49c)
Add immediate sanity check on untrusted length
authorTravis Cross <tc@traviscross.com>
Tue, 8 Apr 2014 21:04:59 +0000 (21:04 +0000)
committerTravis Cross <tc@traviscross.com>
Tue, 8 Apr 2014 21:08:02 +0000 (21:08 +0000)
We were actually checking this indirectly in the loop that follows,
but it's more clear to check this immediately and directly.

src/switch_stun.c patch | blob | blame | history

diff --git a/src/switch_stun.c b/src/switch_stun.c
index c853a0814968944131cf097414c3e41e3b70ed59..55f8a65eaca9b8c5f23c2c3d4bb220103fb62af5 100644 (file)
--- a/src/switch_stun.c
+++ b/src/switch_stun.c
@@ -129,7 +129,8 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t *buf, ui
        packet = (switch_stun_packet_t *) buf;
        packet->header.type = ntohs(packet->header.type);
        packet->header.length = ntohs(packet->header.length);
-       bytes_left -= 20;
+       if (packet->header.length > (bytes_left -= 20))
+               return NULL;
 
 
        /*
Mirror of https://github.com/signalwire/freeswitch.git