1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From bc4812d31a67d5e2f973fbfaf950d6118226cf36 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Fri, 23 Dec 2022 15:05:28 +0800
Subject: [PATCH] Merge pull request from GHSA-cxwq-5g9x-x7fr
* Fixed heap buffer overflow when parsing STUN errcode attribute
* Also fixed uint parsing
---
pjnath/src/pjnath/stun_msg.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
index c6b0bdd284..b55d29849a 100644
--- a/pjnath/src/pjnath/stun_msg.c
+++ b/pjnath/src/pjnath/stun_msg.c
@@ -1438,12 +1438,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool,
attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr);
GETATTRHDR(buf, &attr->hdr);
- attr->value = GETVAL32H(buf, 4);
-
/* Check that the attribute length is valid */
if (attr->hdr.length != 4)
return PJNATH_ESTUNINATTRLEN;
+ attr->value = GETVAL32H(buf, 4);
+
/* Done */
*p_attr = attr;
@@ -1757,14 +1757,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool,
attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr);
GETATTRHDR(buf, &attr->hdr);
+ /* Check that the attribute length is valid */
+ if (attr->hdr.length < 4)
+ return PJNATH_ESTUNINATTRLEN;
+
attr->err_code = buf[6] * 100 + buf[7];
/* Get pointer to the string in the message */
value.ptr = ((char*)buf + ATTR_HDR_LEN + 4);
value.slen = attr->hdr.length - 4;
- /* Make sure the length is never negative */
- if (value.slen < 0)
- value.slen = 0;
/* Copy the string to the attribute */
pj_strdup(pool, &attr->reason, &value);
|