mirror of
https://github.com/signalwire/freeswitch.git
synced 2025-04-13 07:45:26 +00:00
aa4261d11f
In `srtp_unprotect_rtcp()` we are not validating that the packet length is as long as the minimum required. This would cause `enc_octet_len` to underflow, which would cause us to try to decrypt data past the end of the packet in memory -- a buffer over-read and buffer overflow. In `srtp_protect_rtcp()`, we were similarly not validating the packet length. Here we were also polluting the address of the SRTCP encrypted flag and index (the `trailer`), causing us to write one word to a bogus memory address before getting to the encryption where we would also overflow. In this commit we add checks to appropriately validate the RTCP/SRTCP packet lengths. `srtp_unprotect_rtcp_aead()` (but not protect) did correctly validate the packet length; this check would now be redundant as the check in `srtcp_unprotect_rtcp()` will also run first, so it has been removed.