kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-08-14 01:49:05 +00:00
Code Issues Projects Releases Wiki Activity

catch buffer overflow from invalid stun packet.

Browse Source 
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@8354 d0543943-73ff-0310-b7d9-9358b9ac24b2
This commit is contained in:
Michael Jerris
2008-05-10 21:10:44 +00:00
parent cc0f50a9b1
commit cad2e58206
3 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/switch_stun.c
View File

@@ -117,6 +117,7 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t * buf, u
{
switch_stun_packet_t *packet;
switch_stun_packet_attribute_t *attr;
void *end_buf = buf + len;
if (len < SWITCH_STUN_PACKET_MIN_LEN) {
return NULL;
@@ -141,7 +142,7 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t * buf, u
}
break;
}
} while (switch_stun_packet_next_attribute(attr));
} while (switch_stun_packet_next_attribute(attr, end_buf));
return packet;
}
@@ -273,6 +274,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
switch_sockaddr_t *local_addr = NULL, *remote_addr = NULL, *from_addr = NULL;
switch_socket_t *sock = NULL;
uint8_t buf[256] = { 0 };
void *end_buf;
switch_stun_packet_t *packet;
switch_stun_packet_attribute_t *attr;
switch_size_t bytes = 0;
@@ -335,6 +337,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
switch_socket_close(sock);
packet = switch_stun_packet_parse(buf, sizeof(buf));
end_buf = buf + sizeof(buf);
switch_stun_packet_first_attribute(packet, attr);
do {
@@ -350,7 +353,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
}
break;
}
} while (switch_stun_packet_next_attribute(attr));
} while (switch_stun_packet_next_attribute(attr, end_buf));
if (packet->header.type == SWITCH_STUN_BINDING_RESPONSE) {
*ip = switch_core_strdup(pool, rip);