diff options
author | Jakub Adam <jakub.adam@ktknet.cz> | 2011-06-04 23:25:33 +0200 |
---|---|---|
committer | Olivier CrĂȘte <olivier.crete@collabora.com> | 2014-04-04 17:19:25 -0400 |
commit | 8332ca30f76da79db0a84e9da472cf36487e657b (patch) | |
tree | daf5f1bc2b44a5b541792150ba60d54ee66b5402 /stun | |
parent | fac5f3648041fd5225d5e1623625d7f6a9df615b (diff) |
Fix possible segfault in stun_message_validate_buffer_length()
Diffstat (limited to 'stun')
-rw-r--r-- | stun/stunmessage.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/stun/stunmessage.c b/stun/stunmessage.c index e35b3b6..b9c02b7 100644 --- a/stun/stunmessage.c +++ b/stun/stunmessage.c @@ -623,7 +623,16 @@ int stun_message_validate_buffer_length (const uint8_t *msg, size_t length, /* from then on, we know we have the entire packet in buffer */ while (len > 0) { - size_t alen = stun_getw (msg + STUN_ATTRIBUTE_TYPE_LEN); + size_t alen; + + if (len < 4) + { + stun_debug ("STUN error: Incomplete STUN attribute header of length " + "%u bytes!\n", (unsigned)len); + return STUN_MESSAGE_BUFFER_INVALID; + } + + alen = stun_getw (msg + STUN_ATTRIBUTE_TYPE_LEN); if (has_padding) alen = stun_align (alen); |