From 870fe03a79fa990c40f37f037e9236dba11811e2 Mon Sep 17 00:00:00 2001 From: Anderson Lizardo Date: Sun, 3 Feb 2013 21:20:43 -0400 Subject: [PATCH] lib: Fix buffer overflow when processing SDP response rsp_count is either read or calculated from untrusted input, and therefore needs to be checked before being used as offset. The "plen" variable is appropriate because it is calculated as the sum of fixed and variable length fields, excluding the continuation state field, which has at least 1 byte for its own length field. --- lib/sdp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/sdp.c b/lib/sdp.c index b87f392ac..7ab7379b5 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -4189,6 +4189,17 @@ int sdp_process(sdp_session_t *session) goto end; } + /* Out of bound check before using rsp_count as offset for + * continuation state, which has at least a one byte size + * field. + */ + if ((n - (int) sizeof(sdp_pdu_hdr_t)) < plen + 1) { + t->err = EPROTO; + SDPERR("Protocol error: invalid PDU size"); + status = SDP_INVALID_PDU_SIZE; + goto end; + } + pcstate = (sdp_cstate_t *) (pdata + rsp_count); SDPDBG("Cstate length : %d\n", pcstate->length); -- 2.11.0