[Pkg-telepathy-commits] [libnice] 206/265: Fix possible segfault in stun_message_validate_buffer_length()

[Simon McVittie]

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to branch debian
in repository libnice.

commit 8332ca30f76da79db0a84e9da472cf36487e657b
Author: Jakub Adam <jakub.adam at ktknet.cz>
Date:   Sat Jun 4 23:25:33 2011 +0200

    Fix possible segfault in stun_message_validate_buffer_length()
---
 stun/stunmessage.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/stun/stunmessage.c b/stun/stunmessage.c
index e35b3b6..b9c02b7 100644
--- a/stun/stunmessage.c
+++ b/stun/stunmessage.c
@@ -623,7 +623,16 @@ int stun_message_validate_buffer_length (const uint8_t *msg, size_t length,
   /* from then on, we know we have the entire packet in buffer */
   while (len > 0)
   {
-    size_t alen = stun_getw (msg + STUN_ATTRIBUTE_TYPE_LEN);
+    size_t alen;
+
+    if (len < 4)
+    {
+      stun_debug ("STUN error: Incomplete STUN attribute header of length "
+          "%u bytes!\n", (unsigned)len);
+      return STUN_MESSAGE_BUFFER_INVALID;
+    }
+
+    alen = stun_getw (msg + STUN_ATTRIBUTE_TYPE_LEN);
     if (has_padding)
       alen = stun_align (alen);
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-telepathy/libnice.git