From 14cb1c94e7be98869f45678ba195a26796a797c4 Mon Sep 17 00:00:00 2001
From: Feral Interactive <noreply@feralinteractive.com>
Date: Fri, 1 Nov 2019 11:37:29 +0000
Subject: [PATCH] Validate the size of the buffer in
 stun_get_command_message_len_str(). Without this the caller could read off
 the end of the underlying buffer if it receives a maliciously crafted packet
 with an invalid header size.

---
 src/client/ns_turn_msg.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c
index 6048312..889cf44 100644
--- a/src/client/ns_turn_msg.c
+++ b/src/client/ns_turn_msg.c
@@ -360,7 +360,14 @@ int stun_get_command_message_len_str(const uint8_t* buf, size_t len)
 {
 	if (len < STUN_HEADER_LENGTH)
 		return -1;
-	return (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH);
+
+	/* Validate the size the buffer claims to be */
+	int bufLen = (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH);
+	if (bufLen > len) {
+		return -1;
+	}
+
+	return bufLen;
 }
 
 static int stun_set_command_message_len_str(uint8_t* buf, int len) {