From cdedcb4922ecb2edfd6aedbcdcdd6c4c6b71dc88 Mon Sep 17 00:00:00 2001
From: file <file@f38db490-d61c-443f-a65b-d21fe96a405b>
Date: Tue, 17 Jul 2007 20:40:57 +0000
Subject: Ensure that the pointer to STUN data does not go to unaccessible
 memory. (ASA-2007-017)

git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@75439 f38db490-d61c-443f-a65b-d21fe96a405b
---
 main/rtp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'main/rtp.c')

diff --git a/main/rtp.c b/main/rtp.c
index 4b55a2517..035c51cef 100644
--- a/main/rtp.c
+++ b/main/rtp.c
@@ -450,9 +450,9 @@ static int stun_handle_packet(int s, struct sockaddr_in *src, unsigned char *dat
 			break;
 		}
 		attr = (struct stun_attr *)data;
-		if (ntohs(attr->len) > len) {
+		if ((ntohs(attr->len) + sizeof(struct stun_attr)) > len) {
 			if (option_debug)
-				ast_log(LOG_DEBUG, "Inconsistent Attribute (length %d exceeds remaining msg len %zd)\n", ntohs(attr->len), len);
+				ast_log(LOG_DEBUG, "Inconsistent Attribute (length %d exceeds remaining msg len %zd)\n", (ntohs(attr->len) + sizeof(struct stun_attr)), len);
 			break;
 		}
 		if (stun_process_attr(&st, attr)) {
-- 
cgit v1.2.3