[sr-dev] git:master:3198b66a: core: more checks for extract_candidate()

23 Jan 2025

Module: kamailio
Branch: master
Commit: 3198b66aa5dbda1c6a03f46a610073671cbd5157
URL: https://github.com/kamailio/kamailio/commit/3198b66aa5dbda1c6a03f46a6100736…

Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt;
Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt;
Date: 2025-01-23T11:52:29+01:00

core: more checks for extract_candidate()

---

Modified: src/core/parser/sdp/sdp_helpr_funcs.c

---

Diff: 
https://github.com/kamailio/kamailio/commit/3198b66aa5dbda1c6a03f46a6100736…
Patch:
https://github.com/kamailio/kamailio/commit/3198b66aa5dbda1c6a03f46a6100736…

---

diff --git a/src/core/parser/sdp/sdp_helpr_funcs.c
b/src/core/parser/sdp/sdp_helpr_funcs.c
index 483cfdec70e..61022b6148f 100644
--- a/src/core/parser/sdp/sdp_helpr_funcs.c
+++ b/src/core/parser/sdp/sdp_helpr_funcs.c
@@ -314,7 +314,7 @@ int extract_candidate(str *body, sdp_stream_cell_t *stream)
 	int len, fl;
 	sdp_ice_attr_t *ice_attr;
 
-	if((body->len < 12) || (strncasecmp(body->s, "a=candidate:", 12) !=
0)) {
+	if((body->len <= 12) || (strncasecmp(body->s, "a=candidate:", 12) !=
0)) {
 		/*LM_DBG("We are not pointing to an a=candidate: attribute
=>`%.*s'\n", body->len, body->s); */
 		return -1;
 	}
@@ -332,6 +332,10 @@ int extract_candidate(str *body, sdp_stream_cell_t *stream)
 
 	start = space + 1;
 	len = len - (space - start + 1);
+	if(start + len > body->s + body->len) {
+		LM_ERR("no component in `a=candidate'\n");
+		return -1;
+	}
 	space = memchr(start, 32, len);
 	if(space == NULL) {
 		LM_ERR("no component in `a=candidate'\n");


    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] git:master:3198b66a: core: more checks for extract_candidate()