kenmirrors
/
freeswitch
mirror of https://github.com/signalwire/freeswitch.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

FS-10394: [freeswitch-core] FS Crash while linphone sends ICE packets #resolve

This commit is contained in:
Anthony Minessale 2017-06-27 20:58:34 -05:00 committed by Brian West
parent 823b5bc6f8
commit c7250805d6
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/switch_stun.c
View File

@ -206,11 +206,17 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t *buf, ui
switch_stun_packet_first_attribute(packet, attr);
do {
int16_t alen;
if (bytes_left < 4) return NULL;
attr->length = ntohs(attr->length);
attr->type = ntohs(attr->type);
bytes_left -= 4; /* attribute header consumed */
if (switch_stun_attribute_padded_length(attr) > (int)bytes_left) {
alen = switch_stun_attribute_padded_length(attr);
if (alen > (int)bytes_left || alen <= 0) {
/*
* Note we simply don't "break" here out of the loop anymore because
* we don't want the upper layers to have to deal with attributes without a value
@ -323,10 +329,10 @@ SWITCH_DECLARE(switch_stun_packet_t *) switch_stun_packet_parse(uint8_t *buf, ui
break;
}
bytes_left -= switch_stun_attribute_padded_length(attr); /* attribute value consumed, substract padded length */
xlen += 4 + switch_stun_attribute_padded_length(attr);
bytes_left -= alen; /* attribute value consumed, substract padded length */
xlen += 4 + alen;
attr = (switch_stun_packet_attribute_t *) (attr->value + switch_stun_attribute_padded_length(attr));
attr = (switch_stun_packet_attribute_t *) (attr->value + alen);
if ((void *)attr > end_buf) {
break;
}