[Freeswitch-svn] [commit] r8354 - in freeswitch/trunk/src: . include

[Freeswitch SVN]

Author: mikej
Date: Sat May 10 17:10:44 2008
New Revision: 8354

Modified:
   freeswitch/trunk/src/include/switch_stun.h
   freeswitch/trunk/src/switch_rtp.c
   freeswitch/trunk/src/switch_stun.c

Log:
catch buffer overflow from invalid stun packet.

Modified: freeswitch/trunk/src/include/switch_stun.h
==============================================================================
--- freeswitch/trunk/src/include/switch_stun.h	(original)
+++ freeswitch/trunk/src/include/switch_stun.h	Sat May 10 17:10:44 2008
@@ -221,7 +221,7 @@
   \param attribute the pointer to increment
   \return true or false depending on if there are any more attributes
 */
-#define switch_stun_packet_next_attribute(attribute) (attribute = (switch_stun_packet_attribute_t *) (attribute->value + attribute->length)) && attribute->length
+#define switch_stun_packet_next_attribute(attribute, end) (attribute && (attribute = (switch_stun_packet_attribute_t *) (attribute->value + attribute->length)) && ((void *)attribute < end) && attribute->length && ((void *)(attribute + attribute->length) < end))
 
 /*!
   \brief Obtain the correct length in bytes of a stun packet

Modified: freeswitch/trunk/src/switch_rtp.c
==============================================================================
--- freeswitch/trunk/src/switch_rtp.c	(original)
+++ freeswitch/trunk/src/switch_rtp.c	Sat May 10 17:10:44 2008
@@ -238,6 +238,7 @@
 {
 	switch_stun_packet_t *packet;
 	switch_stun_packet_attribute_t *attr;
+	void *end_buf;
 	char username[33] = { 0 };
 	unsigned char buf[512] = { 0 };
 	switch_size_t cpylen = len;
@@ -260,6 +261,7 @@
 
 	memcpy(buf, data, cpylen);
 	packet = switch_stun_packet_parse(buf, sizeof(buf));
+	end_buf = buf + sizeof(buf);
 	rtp_session->last_stun = switch_time_now();
 
 	switch_stun_packet_first_attribute(packet, attr);
@@ -279,7 +281,7 @@
 			}
 			break;
 		}
-	} while (switch_stun_packet_next_attribute(attr));
+	} while (switch_stun_packet_next_attribute(attr, end_buf));
 
 	if ((packet->header.type == SWITCH_STUN_BINDING_REQUEST) && !strcmp(rtp_session->user_ice, username)) {
 		uint8_t stunbuf[512];

Modified: freeswitch/trunk/src/switch_stun.c
==============================================================================
--- freeswitch/trunk/src/switch_stun.c	(original)
+++ freeswitch/trunk/src/switch_stun.c	Sat May 10 17:10:44 2008
@@ -117,6 +117,7 @@
 {
 	switch_stun_packet_t *packet;
 	switch_stun_packet_attribute_t *attr;
+	void *end_buf = buf + len;
 
 	if (len < SWITCH_STUN_PACKET_MIN_LEN) {
 		return NULL;
@@ -141,7 +142,7 @@
 			}
 			break;
 		}
-	} while (switch_stun_packet_next_attribute(attr));
+	} while (switch_stun_packet_next_attribute(attr, end_buf));
 	return packet;
 }
 
@@ -273,6 +274,7 @@
 	switch_sockaddr_t *local_addr = NULL, *remote_addr = NULL, *from_addr = NULL;
 	switch_socket_t *sock = NULL;
 	uint8_t buf[256] = { 0 };
+	void *end_buf;
 	switch_stun_packet_t *packet;
 	switch_stun_packet_attribute_t *attr;
 	switch_size_t bytes = 0;
@@ -335,6 +337,7 @@
 	switch_socket_close(sock);
 
 	packet = switch_stun_packet_parse(buf, sizeof(buf));
+	end_buf = buf + sizeof(buf);
 	switch_stun_packet_first_attribute(packet, attr);
 
 	do {
@@ -350,7 +353,7 @@
 			}
 			break;
 		}
-	} while (switch_stun_packet_next_attribute(attr));
+	} while (switch_stun_packet_next_attribute(attr, end_buf));
 
 	if (packet->header.type == SWITCH_STUN_BINDING_RESPONSE) {
 		*ip = switch_core_strdup(pool, rip);