< Previous by Date	Date Index	Next by Date >
	Thread Index	Next in Thread >

[reSIProcate] stunParseAtrError potential memory corruption

From: Kennard White <kennard_white@xxxxxxxxxxxx>
Date: Mon, 20 Dec 2010 19:26:13 -0800

Hi,

We ran a static code analyizer over portions of the resip code base, and it found a likely problem in rutil/stun/Stun.cxx, in stunParseAtrError().

The comparison if ( hdrLen >= sizeof(result) ) is too loose, I think because of the sizeReason field added to the end of the struct.

Specifically, sizeof(result) is 262, thus hdrLen can be 261, which means sizeReason can be as large as 257, which means it will try copying 257 bytes into a 256 byte buffer.

Proposed change would be:
if ( hdrLen >= sizeof(result)-2 )

But I don't know enough about the protocol specifics to know if this is the correct change. Does anyone currently "own" this code?

Regards,
Kennard

Follow-Ups:
- Re: [reSIProcate] stunParseAtrError potential memory corruption
  - From: Scott Godin

Prev by Date: [reSIProcate] resip transaction state memory utilization in UDP
Next by Date: [reSIProcate] rutil/DataBuffer.cxx: likely signed-ness problem
Previous by thread: [reSIProcate] resip transaction state memory utilization in UDP
Next by thread: Re: [reSIProcate] stunParseAtrError potential memory corruption
Index(es):
- Date
- Thread