Module: kamailio Branch: master Commit: 87e1a4a7f5d565a59a362f22e9372697f2f2f2af URL: https://github.com/kamailio/kamailio/commit/87e1a4a7f5d565a59a362f22e937269… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2024-07-12T08:06:36+02:00 stun: check message len for response --- Modified: src/modules/stun/kam_stun.c --- Diff: https://github.com/kamailio/kamailio/commit/87e1a4a7f5d565a59a362f22e937269… Patch: https://github.com/kamailio/kamailio/commit/87e1a4a7f5d565a59a362f22e937269… --- diff --git a/src/modules/stun/kam_stun.c b/src/modules/stun/kam_stun.c index b3c1e7877d3..3ad42ff1636 100644 --- a/src/modules/stun/kam_stun.c +++ b/src/modules/stun/kam_stun.c @@ -512,6 +512,10 @@ static int stun_create_response(struct stun_msg *req, struct stun_msg *res, } } + if(res->msg.buf.len < sizeof(struct stun_hdr)) { + LM_ERR("invalid message\n"); + return FATAL_ERROR; + } res->hdr.len = htons(res->msg.buf.len - sizeof(struct stun_hdr)); memcpy(&res->msg.buf.s[sizeof(USHORT_T)], (void *)&res->hdr.len, sizeof(USHORT_T));