mirror of
https://github.com/signalwire/freeswitch.git
synced 2025-02-07 12:17:35 +00:00
3bf2b9af75
When computing the start address of the RTP data to encrypt or SRTP data to decrypt (`enc_start`), we are using `hdr->cc` (the CSRC count), which is untrusted data from the packet, and the length field of an RTP header extension, which is also untrusted and unchecked data from the packet. This value then pollutes our calculation of how much data we'll be encrypting or decrypting (`enc_octet_len`), possibly causing us to underflow. We'll then call `cipher_encrypt()` or `cipher_decrypt()` with these two values, causing us to read from and write to arbitrary addresses in memory. (In the AEAD functions, we'd also pollute `aad_len`, which would cause us to read undefined memory in `cipher_set_aad`.) This commit adds checks to verify that the `enc_start` we calculate is sane based on the actual packet length.