[Core] check_ice: sanitize second field of the candidates. Add new switch_is_uint_in_range() API.

This commit is contained in:
Andrey Volk 2023-08-01 19:33:17 +03:00
parent eb918fe180
commit 9347c96712
5 changed files with 60 additions and 7 deletions

View File

@ -106,12 +106,13 @@ typedef struct icand_s {
} icand_t; } icand_t;
#define MAX_CAND 50 #define MAX_CAND 50
#define MAX_CAND_IDX_COUNT 2
typedef struct ice_s { typedef struct ice_s {
icand_t cands[MAX_CAND][2]; icand_t cands[MAX_CAND][MAX_CAND_IDX_COUNT];
int cand_idx[2]; int cand_idx[MAX_CAND_IDX_COUNT];
int chosen[2]; int chosen[MAX_CAND_IDX_COUNT];
int is_chosen[2]; int is_chosen[MAX_CAND_IDX_COUNT];
char *ufrag; char *ufrag;
char *pwd; char *pwd;
char *options; char *options;

View File

@ -498,6 +498,14 @@ SWITCH_DECLARE(switch_size_t) switch_fp_read_dline(FILE *fd, char **buf, switch_
SWITCH_DECLARE(switch_status_t) switch_frame_alloc(switch_frame_t **frame, switch_size_t size); SWITCH_DECLARE(switch_status_t) switch_frame_alloc(switch_frame_t **frame, switch_size_t size);
SWITCH_DECLARE(switch_status_t) switch_frame_dup(switch_frame_t *orig, switch_frame_t **clone); SWITCH_DECLARE(switch_status_t) switch_frame_dup(switch_frame_t *orig, switch_frame_t **clone);
SWITCH_DECLARE(switch_status_t) switch_frame_free(switch_frame_t **frame); SWITCH_DECLARE(switch_status_t) switch_frame_free(switch_frame_t **frame);
/*! \brief Check if a 32 bit unsigned number is in a range.
* \param str string to check. Should not contain non-digit characters.
* \param from start of range including this number
* \param to end of range including this number
* \return true or false
*/
SWITCH_DECLARE(switch_bool_t) switch_is_uint_in_range(const char *str, unsigned int from, unsigned int to);
SWITCH_DECLARE(switch_bool_t) switch_is_number(const char *str); SWITCH_DECLARE(switch_bool_t) switch_is_number(const char *str);
SWITCH_DECLARE(switch_bool_t) switch_is_leading_number(const char *str); SWITCH_DECLARE(switch_bool_t) switch_is_leading_number(const char *str);
SWITCH_DECLARE(char *) switch_find_parameter(const char *str, const char *param, switch_memory_pool_t *pool); SWITCH_DECLARE(char *) switch_find_parameter(const char *str, const char *param, switch_memory_pool_t *pool);

View File

@ -4167,10 +4167,15 @@ static switch_status_t check_ice(switch_media_handle_t *smh, switch_media_type_t
argc = switch_split(data, ' ', fields); argc = switch_split(data, ' ', fields);
if (argc < 6 || !switch_is_uint_in_range(fields[1], 1, MAX_CAND_IDX_COUNT)) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(smh->session), SWITCH_LOG_WARNING, "Invalid data\n");
continue;
}
cid = fields[1] ? atoi(fields[1]) - 1 : 0; cid = fields[1] ? atoi(fields[1]) - 1 : 0;
if (argc < 6 || engine->ice_in.cand_idx[cid] >= MAX_CAND - 1) { if (engine->ice_in.cand_idx[cid] >= MAX_CAND - 1) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(smh->session), SWITCH_LOG_WARNING, "Invalid data\n"); switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(smh->session), SWITCH_LOG_WARNING, "Too many candidates\n");
continue; continue;
} }
@ -4250,7 +4255,7 @@ static switch_status_t check_ice(switch_media_handle_t *smh, switch_media_type_t
relay: relay:
for (cid = 0; cid < 2; cid++) { for (cid = 0; cid < MAX_CAND_IDX_COUNT; cid++) {
switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(smh->session), SWITCH_LOG_DEBUG, "Searching for %s candidate.\n", cid ? "rtcp" : "rtp"); switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(smh->session), SWITCH_LOG_DEBUG, "Searching for %s candidate.\n", cid ? "rtcp" : "rtp");
for (ai = 0; ai < engine->cand_acl_count; ai++) { for (ai = 0; ai < engine->cand_acl_count; ai++) {

View File

@ -1607,6 +1607,30 @@ SWITCH_DECLARE(char *) switch_separate_paren_args(char *str)
return args; return args;
} }
SWITCH_DECLARE(switch_bool_t) switch_is_uint_in_range(const char *str, unsigned int from, unsigned int to)
{
unsigned int number;
const char *original_str = str;
if (str == NULL || *str == '\0' || from > to) {
return SWITCH_FALSE;
}
for (; *str != '\0'; str++) {
if (!isdigit(*str)) {
return SWITCH_FALSE;
}
}
number = atoi(original_str);
if (number < from || number > to) {
return SWITCH_FALSE;
}
return SWITCH_TRUE;
}
SWITCH_DECLARE(switch_bool_t) switch_is_number(const char *str) SWITCH_DECLARE(switch_bool_t) switch_is_number(const char *str)
{ {
const char *p; const char *p;

View File

@ -95,6 +95,21 @@ FST_CORE_BEGIN("./conf")
FST_TEST_END() FST_TEST_END()
#endif #endif
FST_TEST_BEGIN(test_switch_is_number_in_range)
{
fst_check_int_equals(switch_is_uint_in_range("x5", 0, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("0", 1, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("-11", -10, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("-10", -10, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("-5", -10, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("-5", -10, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("5", -10, 10), SWITCH_FALSE);
fst_check_int_equals(switch_is_uint_in_range("0", 0, 10), SWITCH_TRUE);
fst_check_int_equals(switch_is_uint_in_range("10", 0, 10), SWITCH_TRUE);
fst_check_int_equals(switch_is_uint_in_range("11", 0, 10), SWITCH_FALSE);
}
FST_TEST_END()
FST_TEST_BEGIN(test_md5) FST_TEST_BEGIN(test_md5)
{ {
char digest[SWITCH_MD5_DIGEST_STRING_SIZE] = { 0 }; char digest[SWITCH_MD5_DIGEST_STRING_SIZE] = { 0 };