From 396e723f174e869607bba200c7bcfe9506e4b037 Mon Sep 17 00:00:00 2001
From: Joshua Colp <jcolp@digium.com>
Date: Tue, 17 Jul 2007 20:40:57 +0000
Subject: [PATCH] Ensure that the pointer to STUN data does not go to
 unaccessible memory. (ASA-2007-017)

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@75439 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/rtp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/main/rtp.c b/main/rtp.c
index 4b55a25173..035c51cefd 100644
--- a/main/rtp.c
+++ b/main/rtp.c
@@ -450,9 +450,9 @@ static int stun_handle_packet(int s, struct sockaddr_in *src, unsigned char *dat
 			break;
 		}
 		attr = (struct stun_attr *)data;
-		if (ntohs(attr->len) > len) {
+		if ((ntohs(attr->len) + sizeof(struct stun_attr)) > len) {
 			if (option_debug)
-				ast_log(LOG_DEBUG, "Inconsistent Attribute (length %d exceeds remaining msg len %zd)\n", ntohs(attr->len), len);
+				ast_log(LOG_DEBUG, "Inconsistent Attribute (length %d exceeds remaining msg len %zd)\n", (ntohs(attr->len) + sizeof(struct stun_attr)), len);
 			break;
 		}
 		if (stun_process_attr(&st, attr)) {