sipwise
/
sems
mirror of https://github.com/sipwise/sems.git
1
0
Fork 0
Code Issues Releases Wiki Activity

- fixes a buffer overflow occuring if an RTP packet...:

Browse Source 
- ... is too big.
  - ... has a wrong header length.

Thanks to Andrei for that year-old-yet-not-applied patch!


git-svn-id: http://svn.berlios.de/svnroot/repos/sems/trunk@221 8eb893ce-cfd4-0310-b710-fb5ebe64c474
sayer/1.4-spce2.6
Raphael Coeffic 19 years ago
parent e97f7c8067
commit 6fb4e0eaaa
1 changed files with 14 additions and 22 deletions
Show Stats Download Patch File Download Diff File

36
core/AmRtpPacket.cpp
Unescape View File

@ -99,9 +99,17 @@ int AmRtpPacket::parse()
ssrc = ntohl(hdr->ssrc); ssrc = ntohl(hdr->ssrc);
data_offset = sizeof(rtp_hdr_t) + (hdr->cc*4); data_offset = sizeof(rtp_hdr_t) + (hdr->cc*4);
if (data_offset >= (long)b_size) {
ERROR("bad rtp packet (header size too big) !\n");
return -1;
}
d_size = b_size - data_offset; d_size = b_size - data_offset;
if(hdr->p){ if(hdr->p){
if (data[d_size-1]>=d_size){
ERROR("bad rtp packet (invalid padding size) !\n");
return -1;
}
d_size -= buffer[data_offset+d_size-1]; d_size -= buffer[data_offset+d_size-1];
} }
@ -121,13 +129,13 @@ int AmRtpPacket::compile(unsigned char* data_buf, unsigned int size)
d_size = size; d_size = size;
b_size = d_size + sizeof(rtp_hdr_t); b_size = d_size + sizeof(rtp_hdr_t);
assert(b_size <= 4096); assert(b_size <= 4096);
// buffer = new unsigned char [b_size];
rtp_hdr_t* hdr = (rtp_hdr_t*)buffer; rtp_hdr_t* hdr = (rtp_hdr_t*)buffer;
// if(!buffer){ if(b_size>sizeof(buffer)){
// ERROR("not enough memory !\n"); ERROR("builtin buffer size (%d) exceeded: %d\n",
// return -1; (int)sizeof(buffer), b_size);
// } return -1;
}
memset(hdr,0,sizeof(rtp_hdr_t)); memset(hdr,0,sizeof(rtp_hdr_t));
hdr->version = RTP_VERSION; hdr->version = RTP_VERSION;
@ -174,23 +182,16 @@ int AmRtpPacket::recv(int sd)
socklen_t recv_addr_len = sizeof(struct sockaddr_in); socklen_t recv_addr_len = sizeof(struct sockaddr_in);
#endif #endif
int ret = recvfrom(sd,buffer,4096, int ret = recvfrom(sd,buffer,sizeof(buffer),0,
MSG_TRUNC | MSG_DONTWAIT,
(struct sockaddr*)&addr, (struct sockaddr*)&addr,
&recv_addr_len); &recv_addr_len);
if(ret > 0){ if(ret > 0){
// buffer = new unsigned char [ret];
// if(!buffer){
// ERROR("not enough memory !\n");
// return -1;
// }
if(ret > 4096) if(ret > 4096)
return -1; return -1;
b_size = ret; b_size = ret;
// memcpy(buffer,recv_buffer,b_size);
} }
return ret; return ret;
@ -199,14 +200,5 @@ int AmRtpPacket::recv(int sd)
void AmRtpPacket::copy(const AmRtpPacket* p) void AmRtpPacket::copy(const AmRtpPacket* p)
{ {
memcpy(this,p,sizeof(AmRtpPacket)); memcpy(this,p,sizeof(AmRtpPacket));
// buffer = new unsigned char [b_size];
// if(!buffer){
// ERROR("not enough memory !\n");
// data = 0;
// b_size = d_size = 0;
// return;
// }
memcpy(buffer,p->buffer,b_size); memcpy(buffer,p->buffer,b_size);
} }

Write Preview
Loading…
Cancel
Save