Skip to content

Commit da53e4f

Browse files
andywolkandywolk
authored
Merge pull request #182 from QiuhaoLi/fix-stun-parser-oob
stun: add checks for STUN messag len and attr len
2 parents 2cb3820 + 9defd6f commit da53e4f

File tree

2 files changed

+17
-4
lines changed

2 files changed

+17
-4
lines changed

libsofia-sip-ua/stun/sofia-sip/stun_common.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -192,7 +192,7 @@ typedef struct stun_attr_unknownattributes_s{
192192

193193
/* Common functions */
194194
int stun_parse_message(stun_msg_t *msg);
195-
int stun_parse_attribute(stun_msg_t *msg, unsigned char *p);
195+
int stun_parse_attribute(stun_msg_t *msg, unsigned char *p, size_t left_len);
196196
int stun_parse_attr_address(stun_attr_t *attr, const unsigned char *p, unsigned len);
197197
int stun_parse_attr_error_code(stun_attr_t *attr, const unsigned char *p, unsigned len);
198198
int stun_parse_attr_unknown_attributes(stun_attr_t *attr, const unsigned char *p, unsigned len);

libsofia-sip-ua/stun/stun_common.c

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,13 @@ int stun_parse_message(stun_msg_t *msg)
8787

8888
/* parse header first */
8989
p = msg->enc_buf.data;
90+
91+
if (get16(p, 2) > (msg->enc_buf.size - 20))
92+
{
93+
SU_DEBUG_3(("%s: Error STUN Message Length is too big.\n", __func__));
94+
return -1;
95+
}
96+
9097
msg->stun_hdr.msg_type = get16(p, 0);
9198
msg->stun_hdr.msg_len = get16(p, 2);
9299
memcpy(msg->stun_hdr.tran_id, p + 4, STUN_TID_BYTES);
@@ -98,8 +105,8 @@ int stun_parse_message(stun_msg_t *msg)
98105
len = msg->stun_hdr.msg_len;
99106
p = msg->enc_buf.data + 20;
100107
msg->stun_attr = NULL;
101-
while (len > 0) {
102-
i = stun_parse_attribute(msg, p);
108+
while (len >= 4) { // Type (2) + Length (2) + Value (variable) min attribute size
109+
i = stun_parse_attribute(msg, p, len);
103110
if (i <= 0 || i > len) {
104111
SU_DEBUG_3(("%s: Error parsing attribute.\n", __func__));
105112
return -1;
@@ -111,7 +118,7 @@ int stun_parse_message(stun_msg_t *msg)
111118
return 0;
112119
}
113120

114-
int stun_parse_attribute(stun_msg_t *msg, unsigned char *p)
121+
int stun_parse_attribute(stun_msg_t *msg, unsigned char *p, size_t left_len)
115122
{
116123
int len;
117124
uint16_t attr_type;
@@ -120,6 +127,12 @@ int stun_parse_attribute(stun_msg_t *msg, unsigned char *p)
120127
attr_type = get16(p, 0);
121128
len = get16(p, 2);
122129

130+
if ((left_len - 4) < len) // make sure we have enough space for attribute
131+
{
132+
SU_DEBUG_3(("%s: Error STUN attr len is too big.\n", __func__));
133+
return -1;
134+
}
135+
123136
SU_DEBUG_5(("%s: received attribute: Type %02X, Length %d - %s\n",
124137
__func__, attr_type, len, stun_attr_phrase(attr_type)));
125138

0 commit comments

Comments
 (0)