[reSIProcate] stunParseAtrError potential memory corruption
Kennard White
kennard_white at logitech.com
Mon Dec 20 21:26:13 CST 2010
Hi,
We ran a static code analyizer over portions of the resip code base, and it
found a likely problem in rutil/stun/Stun.cxx, in stunParseAtrError().
The comparison if ( hdrLen >= sizeof(result) ) is too loose, I think because
of the sizeReason field added to the end of the struct.
Specifically, sizeof(result) is 262, thus hdrLen can be 261, which means
sizeReason can be as large as 257, which means it will try copying 257 bytes
into a 256 byte buffer.
Proposed change would be:
if ( hdrLen >= sizeof(result)-2 )
But I don't know enough about the protocol specifics to know if this is the
correct change. Does anyone currently "own" this code?
Regards,
Kennard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.resiprocate.org/pipermail/resiprocate-devel/attachments/20101220/15ba998b/attachment.htm>
More information about the resiprocate-devel
mailing list