add bounds check to keep rtcp packets with > 5 report blocks from creating a buffer overrun

This commit is contained in:
Michael Jerris 2014-04-28 13:31:55 -04:00
parent cc06d9181b
commit 59734d8e15
1 changed files with 1 additions and 1 deletions

View File

@ -5881,7 +5881,7 @@ SWITCH_DECLARE(switch_status_t) switch_rtcp_zerocopy_read_frame(switch_rtp_t *rt
frame->packet_count = ntohl(sr->sr_head.pc); frame->packet_count = ntohl(sr->sr_head.pc);
frame->octect_count = ntohl(sr->sr_head.oc); frame->octect_count = ntohl(sr->sr_head.oc);
for (i = 0; i < (int)rtp_session->rtcp_recv_msg_p->header.count; i++) { for (i = 0; i < (int)rtp_session->rtcp_recv_msg_p->header.count && i < MAX_REPORT_BLOCKS ; i++) {
struct switch_rtcp_report_block* report = (struct switch_rtcp_report_block*) (rtp_session->rtcp_recv_msg_p->body + (sizeof(struct switch_rtcp_sr_head) + (i * sizeof(struct switch_rtcp_report_block)))); struct switch_rtcp_report_block* report = (struct switch_rtcp_report_block*) (rtp_session->rtcp_recv_msg_p->body + (sizeof(struct switch_rtcp_sr_head) + (i * sizeof(struct switch_rtcp_report_block))));
frame->reports[i].ssrc = ntohl(report->ssrc); frame->reports[i].ssrc = ntohl(report->ssrc);
frame->reports[i].fraction = (uint8_t)ntohl(report->fraction); frame->reports[i].fraction = (uint8_t)ntohl(report->fraction);