master/coturn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Validate the size of the buffer in stun_get_command_message_len_str().

Browse Source 
Without this the caller could read off the end of the underlying buffer if it receives a maliciously crafted packet with an invalid header size.
This commit is contained in:
Feral Interactive 2019-11-01 11:37:29 +00:00 committed by bobsayshilol
parent 540ef5fd6e
commit 14cb1c94e7
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/client/ns_turn_msg.c
View File

@ -360,7 +360,14 @@ int stun_get_command_message_len_str(const uint8_t* buf, size_t len)
{
if (len < STUN_HEADER_LENGTH)
return -1;
return (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH);
/* Validate the size the buffer claims to be */
int bufLen = (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH);
if (bufLen > len) {
return -1;
}
return bufLen;
}
static int stun_set_command_message_len_str(uint8_t* buf, int len) {