[reSIProcate] stunParseAtrError potential memory corruption
Hi,
We ran a static code analyizer over portions of the resip code base, and it found a likely problem in rutil/stun/Stun.cxx, in stunParseAtrError().
The comparison if ( hdrLen >= sizeof(result) ) is too loose, I think because of the sizeReason field added to the end of the struct.
Specifically, sizeof(result) is 262, thus hdrLen can be 261, which means sizeReason can be as large as 257, which means it will try copying 257 bytes into a 256 byte buffer.
Proposed change would be:
if ( hdrLen >= sizeof(result)-2 )
But I don't know enough about the protocol specifics to know if this is the correct change. Does anyone currently "own" this code?
Regards,
Kennard