From 1636550176af250d8606618e29f46181bc8d189f Mon Sep 17 00:00:00 2001 From: Travis Cross Date: Tue, 8 Apr 2014 21:04:59 +0000 Subject: [PATCH] Add immediate sanity check on untrusted length We were actually checking this indirectly in the loop that follows, but it's more clear to check this immediately and directly. --- src/switch_stun.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/switch_stun.c b/src/switch_stun.c index c853a08149..55f8a65eac 100644 --- a/src/switch_stun.c +++ b/src/switch_stun.c @@ -129,7 +129,8 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t *buf, ui packet = (switch_stun_packet_t *) buf; packet->header.type = ntohs(packet->header.type); packet->header.length = ntohs(packet->header.length); - bytes_left -= 20; + if (packet->header.length > (bytes_left -= 20)) + return NULL; /*