Home Explore Help
Register Sign In
Apq
/
coturn
mirror of https://github.com/coturn/coturn.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Validate the size of the buffer in stun_get_command_message_len_str().
Without this the caller could read off the end of the underlying buffer if it receives a maliciously crafted packet with an invalid header size.

Feral Interactive 6 years ago
parent
540ef5fd6e
commit
14cb1c94e7
1 changed files with 8 additions and 1 deletions
Split View Show Diff Stats
  1. 8 1
      src/client/ns_turn_msg.c

+ 8 - 1
src/client/ns_turn_msg.c
View File 

@@ -360,7 +360,14 @@ int stun_get_command_message_len_str(const uint8_t* buf, size_t len)
 
 {
 
 	if (len < STUN_HEADER_LENGTH)
 
 		return -1;
 
-	return (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH);
 
+
 
+	/* Validate the size the buffer claims to be */
 
+	int bufLen = (int) (nswap16(((const uint16_t*)(buf))[1]) + STUN_HEADER_LENGTH);
 
+	if (bufLen > len) {
 
+		return -1;
 
+	}
 
+
 
+	return bufLen;
 
 }
 
 
 static int stun_set_command_message_len_str(uint8_t* buf, int len) {