Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(883)

Unified Diff: webrtc/p2p/base/stun_unittest.cc

Issue 2071873002: Fix buffer overflow in HMAC validation of STUN messages. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master
Patch Set: Allow length-0 extensions. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « webrtc/p2p/base/stun.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: webrtc/p2p/base/stun_unittest.cc
diff --git a/webrtc/p2p/base/stun_unittest.cc b/webrtc/p2p/base/stun_unittest.cc
index d7ca9991f8554c296abe6229c63c9cf0774c8a5a..033c5ddc6d89d8a1aa107c57b31a7f6b7ba55b72 100644
--- a/webrtc/p2p/base/stun_unittest.cc
+++ b/webrtc/p2p/base/stun_unittest.cc
@@ -243,6 +243,19 @@ static const unsigned char kStunMessageWithSmallLength[] = {
0x21, 0x12, 0xA4, 0x53,
};
+static const unsigned char kStunMessageWithBadHmacAtEnd[] = {
+ 0x00, 0x01, 0x00, 0x14, // message length exactly 20
+ 0x21, 0x12, 0xA4, 0x42, // magic cookie
+ '0', '1', '2', '3', // transaction ID
+ '4', '5', '6', '7',
+ '8', '9', 'a', 'b',
+ 0x00, 0x08, 0x00, 0x14, // type=STUN_ATTR_MESSAGE_INTEGRITY, length=20
+ '0', '0', '0', '0', // We lied, there are only 16 bytes of HMAC.
+ '0', '0', '0', '0',
+ '0', '0', '0', '0',
+ '0', '0', '0', '0',
+};
+
// RTCP packet, for testing we correctly ignore non stun packet types.
// V=2, P=false, RC=0, Type=200, Len=6, Sender-SSRC=85, etc
static const unsigned char kRtcpPacket[] = {
@@ -1194,6 +1207,26 @@ TEST_F(StunTest, ValidateMessageIntegrity) {
sizeof(kStunMessageWithSmallLength),
kRfc5769SampleMsgPassword));
+ // Again, but with the lengths matching what is claimed in the headers.
+ EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
+ reinterpret_cast<const char*>(kStunMessageWithZeroLength),
+ kStunHeaderSize + rtc::GetBE16(&kStunMessageWithZeroLength[2]),
+ kRfc5769SampleMsgPassword));
+ EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
+ reinterpret_cast<const char*>(kStunMessageWithExcessLength),
+ kStunHeaderSize + rtc::GetBE16(&kStunMessageWithExcessLength[2]),
+ kRfc5769SampleMsgPassword));
+ EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
+ reinterpret_cast<const char*>(kStunMessageWithSmallLength),
+ kStunHeaderSize + rtc::GetBE16(&kStunMessageWithSmallLength[2]),
+ kRfc5769SampleMsgPassword));
+
+ // Check that a too-short HMAC doesn't cause buffer overflow.
+ EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
+ reinterpret_cast<const char*>(kStunMessageWithBadHmacAtEnd),
+ sizeof(kStunMessageWithBadHmacAtEnd),
+ kRfc5769SampleMsgPassword));
+
// Test that munging a single bit anywhere in the message causes the
// message-integrity check to fail, unless it is after the M-I attribute.
char buf[sizeof(kRfc5769SampleRequest)];
« no previous file with comments | « webrtc/p2p/base/stun.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698