stun

simple point to point tunnel
git clone git://git.2f30.org/stun
Log | Files | Refs | README

commit 0ae9423d7c9b6a3ac2efc064bc5e977b0ef8a6ee
parent 8156207617024e8548d0d491f4aba95a691d8bfd
Author: sin <sin@2f30.org>
Date:   Sat, 26 Mar 2016 10:49:08 +0000

Check pktlen against input buffer size

Diffstat:
Mstun.c | 6++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/stun.c b/stun.c @@ -403,8 +403,10 @@ readnet(int fd, unsigned char *buf, int len) n = readall(fd, hdr, sizeof(hdr)); if (n <= 0) return n; - paddedlen = padto(pktlen = unpack16(hdr), AES_BLOCK_SIZE); - if (paddedlen < 0 || paddedlen > MTU + AES_BLOCK_SIZE) { + pktlen = unpack16(hdr); + paddedlen = padto(pktlen, AES_BLOCK_SIZE); + if (pktlen < 0 || pktlen > len || + paddedlen < 0 || paddedlen > MTU + AES_BLOCK_SIZE) { logwarn("bogus payload length: %d", paddedlen); return -1; }