Chromium Code Reviews

Side by Side Diff: webrtc/p2p/base/stun.cc

Issue 2071873002: Fix buffer overflow in HMAC validation of STUN messages. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master
Patch Set: Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View unified diff |
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license 4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source 5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found 6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may 7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree. 8 * be found in the AUTHORS file in the root of the source tree.
9 */ 9 */
10 10
(...skipping 131 matching lines...)
142 return false; 142 return false;
143 } 143 }
144 144
145 // Finding Message Integrity attribute in stun message. 145 // Finding Message Integrity attribute in stun message.
146 size_t current_pos = kStunHeaderSize; 146 size_t current_pos = kStunHeaderSize;
147 bool has_message_integrity_attr = false; 147 bool has_message_integrity_attr = false;
148 while (current_pos < size) { 148 while (current_pos < size) {
149 uint16_t attr_type, attr_length; 149 uint16_t attr_type, attr_length;
150 // Getting attribute type and length. 150 // Getting attribute type and length.
151 attr_type = rtc::GetBE16(&data[current_pos]); 151 attr_type = rtc::GetBE16(&data[current_pos]);
152 attr_length = rtc::GetBE16(&data[current_pos + sizeof(attr_type)]); 152 attr_length = rtc::GetBE16(&data[current_pos + sizeof(attr_type)]);
Sergey Ulanov 2016/06/17 00:52:49 I think here we need to verify that current_pos +
katrielc1 2016/06/17 08:21:55 I think you don't technically need to verify that,
153 153
154 // If M-I, sanity check it, and break out. 154 // If M-I, sanity check it, and break out.
155 if (attr_type == STUN_ATTR_MESSAGE_INTEGRITY) { 155 if (attr_type == STUN_ATTR_MESSAGE_INTEGRITY) {
156 if (attr_length != kStunMessageIntegritySize || 156 if (attr_length != kStunMessageIntegritySize ||
157 current_pos + attr_length > size) { 157 current_pos + attr_length >= size) {
Sergey Ulanov 2016/06/17 00:52:49 Should this be "current_pos + sizeof(attr_type) +
katrielc1 2016/06/17 08:21:55 Yes, you're right. (I think it may be equivalent
158 return false; 158 return false;
159 } 159 }
160 has_message_integrity_attr = true; 160 has_message_integrity_attr = true;
161 break; 161 break;
162 } 162 }
163 163
164 // Otherwise, skip to the next attribute. 164 // Otherwise, skip to the next attribute.
165 current_pos += sizeof(attr_type) + sizeof(attr_length) + attr_length; 165 current_pos += sizeof(attr_type) + sizeof(attr_length) + attr_length;
166 if ((attr_length % 4) != 0) { 166 if ((attr_length % 4) != 0) {
167 current_pos += (4 - (attr_length % 4)); 167 current_pos += (4 - (attr_length % 4));
(...skipping 743 matching lines...)
911 digest, sizeof(digest)); 911 digest, sizeof(digest));
912 if (size == 0) { 912 if (size == 0) {
913 return false; 913 return false;
914 } 914 }
915 915
916 *hash = std::string(digest, size); 916 *hash = std::string(digest, size);
917 return true; 917 return true;
918 } 918 }
919 919
920 } // namespace cricket 920 } // namespace cricket
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine