Fix possible segfault in stun_message_validate_buffer_length()

author: Jakub Adam <jakub.adam@ktknet.cz> 2011-06-04 23:25:33 +0200
committer: Olivier Crête <olivier.crete@collabora.com> 2014-04-04 17:19:25 -0400
commit: 8332ca30f76da79db0a84e9da472cf36487e657b (patch)
tree: daf5f1bc2b44a5b541792150ba60d54ee66b5402 /stun
parent: fac5f3648041fd5225d5e1623625d7f6a9df615b (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/stun/stunmessage.c b/stun/stunmessage.c
index e35b3b6..b9c02b7 100644
--- a/stun/stunmessage.c
+++ b/stun/stunmessage.c
@@ -623,7 +623,16 @@ int stun_message_validate_buffer_length (const uint8_t *msg, size_t length,
   /* from then on, we know we have the entire packet in buffer */
   while (len > 0)
   {
-    size_t alen = stun_getw (msg + STUN_ATTRIBUTE_TYPE_LEN);
+    size_t alen;
+
+    if (len < 4)
+    {
+      stun_debug ("STUN error: Incomplete STUN attribute header of length "
+          "%u bytes!\n", (unsigned)len);
+      return STUN_MESSAGE_BUFFER_INVALID;
+    }
+
+    alen = stun_getw (msg + STUN_ATTRIBUTE_TYPE_LEN);
     if (has_padding)
       alen = stun_align (alen);
author	Jakub Adam <jakub.adam@ktknet.cz>	2011-06-04 23:25:33 +0200
committer	Olivier Crête <olivier.crete@collabora.com>	2014-04-04 17:19:25 -0400
commit	8332ca30f76da79db0a84e9da472cf36487e657b (patch)
tree	daf5f1bc2b44a5b541792150ba60d54ee66b5402 /stun
parent	fac5f3648041fd5225d5e1623625d7f6a9df615b (diff)