From 721b577e0c0be61d2c8507a74156813aeabbe3a7 Mon Sep 17 00:00:00 2001
From: Nanang Izzuddin <nanang@teluu.com>
Date: Wed, 2 Jun 2010 09:32:42 +0000
Subject: Fix #1074: Fixed SRTP crypto parser to preverify the key length.

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@3191 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjmedia/src/pjmedia/transport_srtp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'pjmedia/src')

diff --git a/pjmedia/src/pjmedia/transport_srtp.c b/pjmedia/src/pjmedia/transport_srtp.c
index 9e03f594..20005c39 100644
--- a/pjmedia/src/pjmedia/transport_srtp.c
+++ b/pjmedia/src/pjmedia/transport_srtp.c
@@ -1054,9 +1054,13 @@ static pj_status_t parse_attr_crypto(pj_pool_t *pool,
 	return PJMEDIA_SDP_EINATTR;
     }
     tmp = pj_str(token);
-    crypto->key.ptr = (char*) pj_pool_zalloc(pool, MAX_KEY_LEN);
+    if (PJ_BASE64_TO_BASE256_LEN(tmp.slen) > MAX_KEY_LEN) {
+	PJ_LOG(4,(THIS_FILE, "Key too long"));
+	return PJMEDIA_SRTP_EINKEYLEN;
+    }
 
     /* Decode key */
+    crypto->key.ptr = (char*) pj_pool_zalloc(pool, MAX_KEY_LEN);
     itmp = MAX_KEY_LEN;
     status = pj_base64_decode(&tmp, (pj_uint8_t*)crypto->key.ptr, 
 			      &itmp);
-- 
cgit v1.2.3