Module: sip-router Branch: 3.1 Commit: 725c8d7318c76e322a8eeef5423436347f56214d URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=725c8d7… Author: Andrei Pelinescu-Onciul &lt;andrei(a)iptel.org&gt; Committer: Andrei Pelinescu-Onciul &lt;andrei(a)iptel.org&gt; Date: Sat Apr 30 00:11:02 2011 +0200 stun: fix attribute padded length outside the packet case - check if the attribute padded length points still inside the packet (only the un-padded value was checked before) - use an integer and not an UINT for the remainder part of the packet - fix padded length computation in copy_str_to_buffer() Closes: FS#129 Reported-by: Francesco Castellano (cherry picked from commit 677a7bfabd0a266ebdd712b23caee75198993e4a) --- ser_stun.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ser_stun.c b/ser_stun.c index 6957a88..879a7ef 100644 --- a/ser_stun.c +++ b/ser_stun.c @@ -224,7 +224,7 @@ int stun_parse_body( struct stun_unknown_att** unknown, USHORT_T* error_code) { - UINT_T not_parsed; + int not_parsed; struct stun_attr attr; USHORT_T attr_size; UINT_T padded_len; @@ -384,6 +384,13 @@ int stun_parse_body( padded_len = ntohs(attr.len); break; } + + /* check if there is enough unparsed space for the padded attribute + (the padded length might be greater then the attribute length) + */ + if (not_parsed < padded_len) { + break; + } buf += padded_len; not_parsed -= padded_len; } /* while */ @@ -772,7 +779,7 @@ int copy_str_to_buffer(struct stun_msg* res, const char* data, UINT_T pad) data_len = strlen(data); memset(&empty, 0, pad); - pad_len = pad - data_len%pad; + pad_len = (pad - data_len%pad) % pad; if (buf_copy(&res->msg, (void *) data, sizeof(UCHAR_T)*data_len) != 0) { #ifdef EXTRA_DEBUG