git:3.1: stun: fix attribute padded length outside the packet case - sr-dev

29 Apr 2011

Module: sip-router
Branch: 3.1
Commit: 725c8d7318c76e322a8eeef5423436347f56214d
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=725c8d73...
Author: Andrei Pelinescu-Onciul andrei@iptel.org
Committer: Andrei Pelinescu-Onciul andrei@iptel.org
Date:   Sat Apr 30 00:11:02 2011 +0200
stun: fix attribute padded length outside the packet case
- check if the attribute padded length points still inside the
  packet (only the un-padded value was checked before)
-  use an integer and not an UINT for the remainder part of the
   packet
- fix padded length computation in copy_str_to_buffer()
Closes: FS#129
Reported-by: Francesco Castellano
(cherry picked from commit 677a7bfabd0a266ebdd712b23caee75198993e4a)
---
ser_stun.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ser_stun.c b/ser_stun.c
index 6957a88..879a7ef 100644
--- a/ser_stun.c
+++ b/ser_stun.c
@@ -224,7 +224,7 @@ int stun_parse_body(
    			struct stun_unknown_att** unknown,
    			USHORT_T* error_code)
 {
-	UINT_T not_parsed;
+	int not_parsed;
    struct stun_attr attr;
    USHORT_T attr_size;
    UINT_T padded_len;
@@ -384,6 +384,13 @@ int stun_parse_body(
    			padded_len = ntohs(attr.len);
    			break;
    	}
+		
+		/* check if there is enough unparsed space for the padded attribute
+		   (the padded length might be greater then the attribute length)
+		 */
+		if (not_parsed < padded_len) {
+			break;
+		}
    	buf += padded_len;
    	not_parsed -= padded_len;
    }  /* while */
@@ -772,7 +779,7 @@ int copy_str_to_buffer(struct stun_msg* res, const char* data, UINT_T pad)
    data_len = strlen(data);
    memset(&empty, 0, pad);
    
-	pad_len = pad - data_len%pad;
+	pad_len = (pad - data_len%pad) % pad;
    
    if (buf_copy(&res->msg, (void *) data, sizeof(UCHAR_T)*data_len) != 0) {
 #ifdef EXTRA_DEBUG

    