From 8149ac27024d5c49c2aed141bc850cce2a3cbee5 Mon Sep 17 00:00:00 2001 From: Benny Prijono Date: Wed, 4 Apr 2007 17:29:36 +0000 Subject: Fixed crash with invalid PDU and added MAGIC-COOKIE attribute for backward compatibility with old TURN git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@1150 74dad513-b988-da41-8d7b-12977e46ad98 --- pjnath/src/pjnath/errno.c | 6 ++++++ pjnath/src/pjnath/stun_msg.c | 31 ++++++++++++++++++++++--------- pjnath/src/pjstun-client/client_main.c | 1 + 3 files changed, 29 insertions(+), 9 deletions(-) (limited to 'pjnath/src') diff --git a/pjnath/src/pjnath/errno.c b/pjnath/src/pjnath/errno.c index 88fc7494..d555336b 100644 --- a/pjnath/src/pjnath/errno.c +++ b/pjnath/src/pjnath/errno.c @@ -134,6 +134,8 @@ static pj_str_t pjnath_strerror2(pj_status_t statcode, const pj_str_t cmsg = pj_stun_get_err_reason(stun_code); pj_str_t errstr; + buf[bufsize-1] = '\0'; + if (cmsg.slen == 0) { /* Not found */ errstr.ptr = buf; @@ -143,6 +145,10 @@ static pj_str_t pjnath_strerror2(pj_status_t statcode, } else { errstr.ptr = buf; pj_strncpy(&errstr, &cmsg, bufsize); + if (errstr.slen < (int)bufsize) + buf[errstr.slen] = '\0'; + else + buf[bufsize-1] = '\0'; } if (errstr.slen < 0) errstr.slen = 0; diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c index 1f17171f..2ae84828 100644 --- a/pjnath/src/pjnath/stun_msg.c +++ b/pjnath/src/pjnath/stun_msg.c @@ -232,10 +232,10 @@ static struct attr_desc mandatory_attr_desc[] = NULL }, { - /* ID 0x000F is not assigned */ - NULL, - NULL, - NULL + /* PJ_STUN_ATTR_MAGIC_COOKIE */ + "MAGIC-COOKIE", + &decode_uint_attr, + &encode_uint_attr }, { /* PJ_STUN_ATTR_BANDWIDTH, */ @@ -1772,15 +1772,15 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, /* Parse attributes */ uattr_cnt = 0; - while (pdu_len > 0) { + while (pdu_len >= 4) { unsigned attr_type, attr_val_len; const struct attr_desc *adesc; /* Get attribute type and length. If length is not aligned * to 4 bytes boundary, add padding. */ - attr_type = pj_ntohs(*(pj_uint16_t*)pdu); - attr_val_len = pj_ntohs(*(pj_uint16_t*)(pdu+2)); + attr_type = GETVAL16H(pdu, 0); + attr_val_len = GETVAL16H(pdu, 2); attr_val_len = (attr_val_len + 3) & (~3); /* Check length */ @@ -1919,8 +1919,21 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, msg->attr[msg->attr_count++] = (pj_stun_attr_hdr*)attr; } - pdu += (attr_val_len + 4); - pdu_len -= (attr_val_len + 4); + if (attr_val_len + 4 >= pdu_len) { + pdu += pdu_len; + pdu_len = 0; + } else { + pdu += (attr_val_len + 4); + pdu_len -= (attr_val_len + 4); + } + } + + if (pdu_len > 0) { + /* Stray trailing bytes */ + PJ_LOG(4,(THIS_FILE, + "Error decoding STUN message: unparsed trailing %d bytes", + pdu_len)); + return PJNATH_EINSTUNMSGLEN; } *p_msg = msg; diff --git a/pjnath/src/pjstun-client/client_main.c b/pjnath/src/pjstun-client/client_main.c index 90b6edbd..958c23cb 100644 --- a/pjnath/src/pjstun-client/client_main.c +++ b/pjnath/src/pjstun-client/client_main.c @@ -184,6 +184,7 @@ static int init() status = pj_init(); status = pjlib_util_init(); + status = pjnath_init(); pj_caching_pool_init(&g.cp, &pj_pool_factory_default_policy, 0); -- cgit v1.2.3