Fixed crash with invalid PDU and added MAGIC-COOKIE attribute for backward compatibility with old TURN

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@1150 74dad513-b988-da41-8d7b-12977e46ad98

4 files changed, 30 insertions, 9 deletions

diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h
index f1544de3..b9a0db29 100644
--- a/pjnath/include/pjnath/stun_msg.h
+++ b/pjnath/include/pjnath/stun_msg.h
@@ -285,6 +285,7 @@ typedef enum pj_stun_attr_type
     PJ_STUN_ATTR_UNKNOWN_ATTRIBUTES = 0x000A,/**< UNKNOWN-ATTRIBUTES.	    */
     PJ_STUN_ATTR_REFLECTED_FROM	    = 0x000B,/**< REFLECTED-FROM (deprecatd)*/
     PJ_STUN_ATTR_LIFETIME	    = 0x000D,/**< LIFETIME attribute.	    */
+    PJ_STUN_ATTR_MAGIC_COOKIE	    = 0x000F,/**< MAGIC-COOKIE attr (deprec)*/
     PJ_STUN_ATTR_BANDWIDTH	    = 0x0010,/**< BANDWIDTH attribute	    */
     PJ_STUN_ATTR_REMOTE_ADDR	    = 0x0012,/**< REMOTE-ADDRESS attribute  */
     PJ_STUN_ATTR_DATA		    = 0x0013,/**< DATA attribute.	    */
diff --git a/pjnath/src/pjnath/errno.c b/pjnath/src/pjnath/errno.c
index 88fc7494..d555336b 100644
--- a/pjnath/src/pjnath/errno.c
+++ b/pjnath/src/pjnath/errno.c
@@ -134,6 +134,8 @@ static pj_str_t pjnath_strerror2(pj_status_t statcode,
     const pj_str_t cmsg = pj_stun_get_err_reason(stun_code);
     pj_str_t errstr;
 
+    buf[bufsize-1] = '\0';
+
     if (cmsg.slen == 0) {
 	/* Not found */
 	errstr.ptr = buf;
@@ -143,6 +145,10 @@ static pj_str_t pjnath_strerror2(pj_status_t statcode,
     } else {
 	errstr.ptr = buf;
 	pj_strncpy(&errstr, &cmsg, bufsize);
+	if (errstr.slen < (int)bufsize)
+	    buf[errstr.slen] = '\0';
+	else
+	    buf[bufsize-1] = '\0';
     }
 
     if (errstr.slen < 0) errstr.slen = 0;
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
index 1f17171f..2ae84828 100644
--- a/pjnath/src/pjnath/stun_msg.c
+++ b/pjnath/src/pjnath/stun_msg.c
@@ -232,10 +232,10 @@ static struct attr_desc mandatory_attr_desc[] =
 	NULL
     },
     {
-	/* ID 0x000F is not assigned */
-	NULL,
-	NULL,
-	NULL
+	/* PJ_STUN_ATTR_MAGIC_COOKIE */
+	"MAGIC-COOKIE",
+	&decode_uint_attr,
+	&encode_uint_attr
     },
     {
 	/* PJ_STUN_ATTR_BANDWIDTH, */
@@ -1772,15 +1772,15 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
 
     /* Parse attributes */
     uattr_cnt = 0;
-    while (pdu_len > 0) {
+    while (pdu_len >= 4) {
 	unsigned attr_type, attr_val_len;
 	const struct attr_desc *adesc;
 
 	/* Get attribute type and length. If length is not aligned
 	 * to 4 bytes boundary, add padding.
 	 */
-	attr_type = pj_ntohs(*(pj_uint16_t*)pdu);
-	attr_val_len = pj_ntohs(*(pj_uint16_t*)(pdu+2));
+	attr_type = GETVAL16H(pdu, 0);
+	attr_val_len = GETVAL16H(pdu, 2);
 	attr_val_len = (attr_val_len + 3) & (~3);
 
 	/* Check length */
@@ -1919,8 +1919,21 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
 	    msg->attr[msg->attr_count++] = (pj_stun_attr_hdr*)attr;
 	}
 
-	pdu += (attr_val_len + 4);
-	pdu_len -= (attr_val_len + 4);
+	if (attr_val_len + 4 >= pdu_len) {
+	    pdu += pdu_len;
+	    pdu_len = 0;
+	} else {
+	    pdu += (attr_val_len + 4);
+	    pdu_len -= (attr_val_len + 4);
+	}
+    }
+
+    if (pdu_len > 0) {
+	/* Stray trailing bytes */
+	PJ_LOG(4,(THIS_FILE, 
+		  "Error decoding STUN message: unparsed trailing %d bytes",
+		  pdu_len));
+	return PJNATH_EINSTUNMSGLEN;
     }
 
     *p_msg = msg;
diff --git a/pjnath/src/pjstun-client/client_main.c b/pjnath/src/pjstun-client/client_main.c
index 90b6edbd..958c23cb 100644
--- a/pjnath/src/pjstun-client/client_main.c
+++ b/pjnath/src/pjstun-client/client_main.c
@@ -184,6 +184,7 @@ static int init()
 
     status = pj_init();
     status = pjlib_util_init();
+    status = pjnath_init();
 
     pj_caching_pool_init(&g.cp, &pj_pool_factory_default_policy, 0);