From ed63e37f8466f27a990f7310bbcf1faf86697e9a Mon Sep 17 00:00:00 2001
From: Henri Herscher <henri@oreka.org>
Date: Tue, 3 Jul 2007 16:42:00 +0000
Subject: Fixed rare but potential crashes by making sure orkaudio cannot read
 memory beyond the end of any captured packet data.

git-svn-id: https://oreka.svn.sourceforge.net/svnroot/oreka/trunk@452 09dcff7a-b715-0410-9601-b79a96267cd0
---
 .../audiocaptureplugins/voip/PacketHeaderDefs.cpp  | 57 +++++++++++++++++-----
 1 file changed, 45 insertions(+), 12 deletions(-)

(limited to 'orkaudio/audiocaptureplugins/voip/PacketHeaderDefs.cpp')

diff --git a/orkaudio/audiocaptureplugins/voip/PacketHeaderDefs.cpp b/orkaudio/audiocaptureplugins/voip/PacketHeaderDefs.cpp
index 500f740..660fd08 100644
--- a/orkaudio/audiocaptureplugins/voip/PacketHeaderDefs.cpp
+++ b/orkaudio/audiocaptureplugins/voip/PacketHeaderDefs.cpp
@@ -74,10 +74,24 @@ CStdString SkinnyMessageToString(int msgEnum)
 }
 
 
-bool SkinnyValidateStartMediaTransmission(SkStartMediaTransmissionStruct* smt)
+bool SkinnyValidateStartMediaTransmission(SkStartMediaTransmissionStruct* smt, u_char* packetEnd)
 {
 	bool valid = true;
-	if (smt->remoteTcpPort > 65535)
+	if(((u_char*)smt + sizeof(SkStartMediaTransmissionStruct)) > packetEnd)
+	{
+		valid = false;
+	}
+	else if (smt->remoteTcpPort > 65535)
+	{
+		valid = false;
+	}
+	return valid;
+}
+
+bool SkinnyValidateStopMediaTransmission(SkStopMediaTransmissionStruct* smt, u_char* packetEnd)
+{
+	bool valid = true;
+	if(((u_char*)smt + sizeof(SkStopMediaTransmissionStruct)) > packetEnd)
 	{
 		valid = false;
 	}
@@ -107,10 +121,14 @@ bool checkPartyString(char* string, int size)
 	return valid;
 }
 
-bool SkinnyValidateCallInfo(SkCallInfoStruct* sci)
+bool SkinnyValidateCallInfo(SkCallInfoStruct* sci, u_char* packetEnd)
 {
 	bool valid = true;
-	if (sci->callType > SKINNY_CALL_TYPE_FORWARD)
+	if(((u_char*)sci + sizeof(SkCallInfoStruct)) > packetEnd)
+	{
+		valid = false;
+	}
+	else if (sci->callType > SKINNY_CALL_TYPE_FORWARD)
 	{
 		valid = false;
 	}
@@ -134,10 +152,14 @@ bool SkinnyValidateCallInfo(SkCallInfoStruct* sci)
 }
 
 
-bool SkinnyValidateCcm5CallInfo(SkCcm5CallInfoStruct *sci)
+bool SkinnyValidateCcm5CallInfo(SkCcm5CallInfoStruct *sci, u_char* packetEnd)
 {
 	bool valid = true;
-	if (sci->callType > SKINNY_CALL_TYPE_FORWARD)
+	if(((u_char*)sci + sizeof(SkCcm5CallInfoStruct)) > packetEnd)
+	{
+		valid = false;
+	}
+	else if (sci->callType > SKINNY_CALL_TYPE_FORWARD)
 	{
 		valid = false;
 	}
@@ -159,19 +181,27 @@ bool SkinnyValidateCcm5CallInfo(SkCcm5CallInfoStruct *sci)
 }
 
 
-bool SkinnyValidateOpenReceiveChannelAck(SkOpenReceiveChannelAckStruct* orca)
+bool SkinnyValidateOpenReceiveChannelAck(SkOpenReceiveChannelAckStruct* orca, u_char* packetEnd)
 {
 	bool valid = true;
-	if (orca->endpointTcpPort > 65535)
+	if(((u_char*)orca + sizeof(SkOpenReceiveChannelAckStruct)) > packetEnd)
+	{
+		valid = false;
+	}
+	else if (orca->endpointTcpPort > 65535)
 	{
 		valid = false;
 	}
 	return valid;
 }
 
-bool SkinnyValidateLineStat(SkLineStatStruct* lineStat)
+bool SkinnyValidateLineStat(SkLineStatStruct* lineStat, u_char* packetEnd)
 {
 	bool valid = true;
+	if(((u_char*)lineStat + sizeof(SkLineStatStruct)) > packetEnd)
+	{
+		valid = false;
+	}
 	if(valid)
 	{
 		valid = checkPartyString(lineStat->displayName, SKINNY_DISPLAY_NAME_SIZE);
@@ -183,11 +213,14 @@ bool SkinnyValidateLineStat(SkLineStatStruct* lineStat)
 	return valid;
 }
 
-bool SkinnyValidateSoftKeyEvent(SkSoftKeyEventMessageStruct* softKeyEvent)
+bool SkinnyValidateSoftKeyEvent(SkSoftKeyEventMessageStruct* softKeyEvent, u_char* packetEnd)
 {
 	bool valid = true;
-
-	if(softKeyEvent->softKeyEvent > SKINNY_SOFTKEY_MAX_EVENT ||
+	if(((u_char*)softKeyEvent + sizeof(SkSoftKeyEventMessageStruct)) > packetEnd)
+	{
+		valid = false;
+	}
+	else if(softKeyEvent->softKeyEvent > SKINNY_SOFTKEY_MAX_EVENT ||
 		softKeyEvent->softKeyEvent < SKINNY_SOFTKEY_MIN_EVENT)
 	{
 		valid = false;
-- 
cgit v1.2.3