From c7250805d6d9f047af3f0da2be4cc65c2602f603 Mon Sep 17 00:00:00 2001 From: Anthony Minessale Date: Tue, 27 Jun 2017 20:58:34 -0500 Subject: [PATCH] FS-10394: [freeswitch-core] FS Crash while linphone sends ICE packets #resolve --- src/switch_stun.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/switch_stun.c b/src/switch_stun.c index 0e2e9adb9f..1d10d809cf 100644 --- a/src/switch_stun.c +++ b/src/switch_stun.c @@ -206,11 +206,17 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t *buf, ui switch_stun_packet_first_attribute(packet, attr); do { + int16_t alen; + + if (bytes_left < 4) return NULL; + attr->length = ntohs(attr->length); attr->type = ntohs(attr->type); bytes_left -= 4; /* attribute header consumed */ - if (switch_stun_attribute_padded_length(attr) > (int)bytes_left) { + alen = switch_stun_attribute_padded_length(attr); + + if (alen > (int)bytes_left || alen <= 0) { /* * Note we simply don't "break" here out of the loop anymore because * we don't want the upper layers to have to deal with attributes without a value @@ -323,10 +329,10 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t *buf, ui break; } - bytes_left -= switch_stun_attribute_padded_length(attr); /* attribute value consumed, substract padded length */ - xlen += 4 + switch_stun_attribute_padded_length(attr); + bytes_left -= alen; /* attribute value consumed, substract padded length */ + xlen += 4 + alen; - attr = (switch_stun_packet_attribute_t *) (attr->value + switch_stun_attribute_padded_length(attr)); + attr = (switch_stun_packet_attribute_t *) (attr->value + alen); if ((void *)attr > end_buf) { break; }