Changeset 1150 for pjproject/trunk/pjnath/src/pjnath/stun_msg.c

Timestamp:

Apr 4, 2007 5:29:36 PM (17 years ago)

Author:

bennylp

Message:

Fixed crash with invalid PDU and added MAGIC-COOKIE attribute for backward compatibility with old TURN

File:

• pjproject/trunk/pjnath/src/pjnath/stun_msg.c (modified) (4 diffs)

pjproject/trunk/pjnath/src/pjnath/stun_msg.c

@@ -233 +233 @@
     },
     {
-        /* ID 0x000F is not assigned */
-        NULL,
-        NULL,
-        NULL
+        /* PJ_STUN_ATTR_MAGIC_COOKIE */
+        "MAGIC-COOKIE",
+        &decode_uint_attr,
+        &encode_uint_attr
     },
     {
@@ -1773 +1773 @@
     /* Parse attributes */
     uattr_cnt = 0;
-    while (pdu_len > 0) {
+    while (pdu_len >= 4) {
         unsigned attr_type, attr_val_len;
         const struct attr_desc *adesc;
@@ -1780 +1780 @@
          * to 4 bytes boundary, add padding.
          */
-        attr_type = pj_ntohs(*(pj_uint16_t*)pdu);
-        attr_val_len = pj_ntohs(*(pj_uint16_t*)(pdu+2));
+        attr_type = GETVAL16H(pdu, 0);
+        attr_val_len = GETVAL16H(pdu, 2);
         attr_val_len = (attr_val_len + 3) & (~3);
 
@@ -1920 +1920 @@
         }
 
-        pdu += (attr_val_len + 4);
-        pdu_len -= (attr_val_len + 4);
+        if (attr_val_len + 4 >= pdu_len) {
+            pdu += pdu_len;
+            pdu_len = 0;
+        } else {
+            pdu += (attr_val_len + 4);
+            pdu_len -= (attr_val_len + 4);
+        }
+    }
+
+    if (pdu_len > 0) {
+        /* Stray trailing bytes */
+        PJ_LOG(4,(THIS_FILE, 
+                  "Error decoding STUN message: unparsed trailing %d bytes",
+                  pdu_len));
+        return PJNATH_EINSTUNMSGLEN;
     }