[sr-dev] git:3.1: stun: fix attribute padded length outside the packet case
Andrei Pelinescu-Onciul
andrei at iptel.org
Sat Apr 30 01:03:12 CEST 2011
Module: sip-router
Branch: 3.1
Commit: 725c8d7318c76e322a8eeef5423436347f56214d
URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=725c8d7318c76e322a8eeef5423436347f56214d
Author: Andrei Pelinescu-Onciul <andrei at iptel.org>
Committer: Andrei Pelinescu-Onciul <andrei at iptel.org>
Date: Sat Apr 30 00:11:02 2011 +0200
stun: fix attribute padded length outside the packet case
- check if the attribute padded length points still inside the
packet (only the un-padded value was checked before)
- use an integer and not an UINT for the remainder part of the
packet
- fix padded length computation in copy_str_to_buffer()
Closes: FS#129
Reported-by: Francesco Castellano
(cherry picked from commit 677a7bfabd0a266ebdd712b23caee75198993e4a)
---
ser_stun.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/ser_stun.c b/ser_stun.c
index 6957a88..879a7ef 100644
--- a/ser_stun.c
+++ b/ser_stun.c
@@ -224,7 +224,7 @@ int stun_parse_body(
struct stun_unknown_att** unknown,
USHORT_T* error_code)
{
- UINT_T not_parsed;
+ int not_parsed;
struct stun_attr attr;
USHORT_T attr_size;
UINT_T padded_len;
@@ -384,6 +384,13 @@ int stun_parse_body(
padded_len = ntohs(attr.len);
break;
}
+
+ /* check if there is enough unparsed space for the padded attribute
+ (the padded length might be greater then the attribute length)
+ */
+ if (not_parsed < padded_len) {
+ break;
+ }
buf += padded_len;
not_parsed -= padded_len;
} /* while */
@@ -772,7 +779,7 @@ int copy_str_to_buffer(struct stun_msg* res, const char* data, UINT_T pad)
data_len = strlen(data);
memset(&empty, 0, pad);
- pad_len = pad - data_len%pad;
+ pad_len = (pad - data_len%pad) % pad;
if (buf_copy(&res->msg, (void *) data, sizeof(UCHAR_T)*data_len) != 0) {
#ifdef EXTRA_DEBUG
More information about the sr-dev
mailing list