From bc4812d31a67d5e2f973fbfaf950d6118226cf36 Mon Sep 17 00:00:00 2001 From: sauwming Date: Fri, 23 Dec 2022 15:05:28 +0800 Subject: [PATCH] Merge pull request from GHSA-cxwq-5g9x-x7fr * Fixed heap buffer overflow when parsing STUN errcode attribute * Also fixed uint parsing --- pjnath/src/pjnath/stun_msg.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c index c6b0bdd284..b55d29849a 100644 --- a/pjnath/src/pjnath/stun_msg.c +++ b/pjnath/src/pjnath/stun_msg.c @@ -1438,12 +1438,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool, attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr); GETATTRHDR(buf, &attr->hdr); - attr->value = GETVAL32H(buf, 4); - /* Check that the attribute length is valid */ if (attr->hdr.length != 4) return PJNATH_ESTUNINATTRLEN; + attr->value = GETVAL32H(buf, 4); + /* Done */ *p_attr = attr; @@ -1757,14 +1757,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool, attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr); GETATTRHDR(buf, &attr->hdr); + /* Check that the attribute length is valid */ + if (attr->hdr.length < 4) + return PJNATH_ESTUNINATTRLEN; + attr->err_code = buf[6] * 100 + buf[7]; /* Get pointer to the string in the message */ value.ptr = ((char*)buf + ATTR_HDR_LEN + 4); value.slen = attr->hdr.length - 4; - /* Make sure the length is never negative */ - if (value.slen < 0) - value.slen = 0; /* Copy the string to the attribute */ pj_strdup(pool, &attr->reason, &value);