kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-08-14 01:49:05 +00:00
Code Issues Projects Releases Wiki Activity

catch buffer overflow from invalid stun packet.

Browse Source 
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@8354 d0543943-73ff-0310-b7d9-9358b9ac24b2
This commit is contained in:
Michael Jerris
2008-05-10 21:10:44 +00:00
parent cc0f50a9b1
commit cad2e58206
3 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/switch_rtp.c
View File

@@ -238,6 +238,7 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
{
switch_stun_packet_t *packet;
switch_stun_packet_attribute_t *attr;
void *end_buf;
char username[33] = { 0 };
unsigned char buf[512] = { 0 };
switch_size_t cpylen = len;
@@ -260,6 +261,7 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
memcpy(buf, data, cpylen);
packet = switch_stun_packet_parse(buf, sizeof(buf));
end_buf = buf + sizeof(buf);
rtp_session->last_stun = switch_time_now();
switch_stun_packet_first_attribute(packet, attr);
@@ -279,7 +281,7 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
}
break;
}
} while (switch_stun_packet_next_attribute(attr));
} while (switch_stun_packet_next_attribute(attr, end_buf));
if ((packet->header.type == SWITCH_STUN_BINDING_REQUEST) && !strcmp(rtp_session->user_ice, username)) {
uint8_t stunbuf[512];