kenmirrors
/
freeswitch
mirror of https://github.com/signalwire/freeswitch.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

catch buffer overflow from invalid stun packet. 

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@8354 d0543943-73ff-0310-b7d9-9358b9ac24b2
This commit is contained in:
Michael Jerris 2008-05-10 21:10:44 +00:00
parent cc0f50a9b1
commit cad2e58206
3 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/include/switch_stun.h
View File

@ -221,7 +221,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
\param attribute the pointer to increment \param attribute the pointer to increment
\return true or false depending on if there are any more attributes \return true or false depending on if there are any more attributes
*/ */
#define switch_stun_packet_next_attribute(attribute) (attribute = (switch_stun_packet_attribute_t *) (attribute->value + attribute->length)) && attribute->length #define switch_stun_packet_next_attribute(attribute, end) (attribute && (attribute = (switch_stun_packet_attribute_t *) (attribute->value + attribute->length)) && ((void *)attribute < end) && attribute->length && ((void *)(attribute + attribute->length) < end))
/*! /*!
\brief Obtain the correct length in bytes of a stun packet \brief Obtain the correct length in bytes of a stun packet

4
src/switch_rtp.c
View File

@ -238,6 +238,7 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
{ {
switch_stun_packet_t *packet; switch_stun_packet_t *packet;
switch_stun_packet_attribute_t *attr; switch_stun_packet_attribute_t *attr;
void *end_buf;
char username[33] = { 0 }; char username[33] = { 0 };
unsigned char buf[512] = { 0 }; unsigned char buf[512] = { 0 };
switch_size_t cpylen = len; switch_size_t cpylen = len;
@ -260,6 +261,7 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
memcpy(buf, data, cpylen); memcpy(buf, data, cpylen);
packet = switch_stun_packet_parse(buf, sizeof(buf)); packet = switch_stun_packet_parse(buf, sizeof(buf));
end_buf = buf + sizeof(buf);
rtp_session->last_stun = switch_time_now(); rtp_session->last_stun = switch_time_now();
switch_stun_packet_first_attribute(packet, attr); switch_stun_packet_first_attribute(packet, attr);
@ -279,7 +281,7 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
} }
break; break;
} }
} while (switch_stun_packet_next_attribute(attr)); } while (switch_stun_packet_next_attribute(attr, end_buf));
if ((packet->header.type == SWITCH_STUN_BINDING_REQUEST) && !strcmp(rtp_session->user_ice, username)) { if ((packet->header.type == SWITCH_STUN_BINDING_REQUEST) && !strcmp(rtp_session->user_ice, username)) {
uint8_t stunbuf[512]; uint8_t stunbuf[512];

7
src/switch_stun.c
View File

@ -117,6 +117,7 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t * buf, u
{ {
switch_stun_packet_t *packet; switch_stun_packet_t *packet;
switch_stun_packet_attribute_t *attr; switch_stun_packet_attribute_t *attr;
void *end_buf = buf + len;
if (len < SWITCH_STUN_PACKET_MIN_LEN) { if (len < SWITCH_STUN_PACKET_MIN_LEN) {
return NULL; return NULL;
@ -141,7 +142,7 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t * buf, u
} }
break; break;
} }
} while (switch_stun_packet_next_attribute(attr)); } while (switch_stun_packet_next_attribute(attr, end_buf));
return packet; return packet;
} }
@ -273,6 +274,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
switch_sockaddr_t *local_addr = NULL, *remote_addr = NULL, *from_addr = NULL; switch_sockaddr_t *local_addr = NULL, *remote_addr = NULL, *from_addr = NULL;
switch_socket_t *sock = NULL; switch_socket_t *sock = NULL;
uint8_t buf[256] = { 0 }; uint8_t buf[256] = { 0 };
void *end_buf;
switch_stun_packet_t *packet; switch_stun_packet_t *packet;
switch_stun_packet_attribute_t *attr; switch_stun_packet_attribute_t *attr;
switch_size_t bytes = 0; switch_size_t bytes = 0;
@ -335,6 +337,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
switch_socket_close(sock); switch_socket_close(sock);
packet = switch_stun_packet_parse(buf, sizeof(buf)); packet = switch_stun_packet_parse(buf, sizeof(buf));
end_buf = buf + sizeof(buf);
switch_stun_packet_first_attribute(packet, attr); switch_stun_packet_first_attribute(packet, attr);
do { do {
@ -350,7 +353,7 @@ SWITCH_DECLARE(switch_status_t) switch_stun_lookup(char **ip,
} }
break; break;
} }
} while (switch_stun_packet_next_attribute(attr)); } while (switch_stun_packet_next_attribute(attr, end_buf));
if (packet->header.type == SWITCH_STUN_BINDING_RESPONSE) { if (packet->header.type == SWITCH_STUN_BINDING_RESPONSE) {
*ip = switch_core_strdup(pool, rip); *ip = switch_core_strdup(pool, rip);