diff options
| author | file <file@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-17 20:40:57 +0000 |
|---|---|---|
| committer | file <file@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-17 20:40:57 +0000 |
| commit | cdedcb4922ecb2edfd6aedbcdcdd6c4c6b71dc88 (patch) | |
| tree | e3e7fc1471b7146d25bf25cb7f655aa01f13e096 | |
| parent | ad76d2558160eeeee9116a1ba15487fb560c4368 (diff) | |
Ensure that the pointer to STUN data does not go to unaccessible memory. (ASA-2007-017)
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@75439 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | main/rtp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/main/rtp.c b/main/rtp.c index 4b55a2517..035c51cef 100644 --- a/main/rtp.c +++ b/main/rtp.c @@ -450,9 +450,9 @@ static int stun_handle_packet(int s, struct sockaddr_in *src, unsigned char *dat break; } attr = (struct stun_attr *)data; - if (ntohs(attr->len) > len) { + if ((ntohs(attr->len) + sizeof(struct stun_attr)) > len) { if (option_debug) - ast_log(LOG_DEBUG, "Inconsistent Attribute (length %d exceeds remaining msg len %zd)\n", ntohs(attr->len), len); + ast_log(LOG_DEBUG, "Inconsistent Attribute (length %d exceeds remaining msg len %zd)\n", (ntohs(attr->len) + sizeof(struct stun_attr)), len); break; } if (stun_process_attr(&st, attr)) { |