1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Tue, 7 Jun 2022 12:00:13 +0800
Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj
---
pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c
index 722519584..d0549176d 100644
--- a/pjlib-util/src/pjlib-util/stun_simple.c
+++ b/pjlib-util/src/pjlib-util/stun_simple.c
@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
{
pj_uint16_t msg_type, msg_len;
char *p_attr;
+ int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
PJ_CHECK_STACK();
@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
msg->attr_count = 0;
p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
- while (msg_len > 0) {
+ while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
pj_uint32_t len;
pj_uint16_t attr_type;
@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,
p_attr += len;
++msg->attr_count;
}
+ if (msg->attr_count == attr_max_cnt) {
+ PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
+ attr_max_cnt));
+ }
return PJ_SUCCESS;
}
|
