Skip to content
Permalink
Browse files
Prevent potential DoS attack due to lack of bounds checking on RTP he…
…ader CSRC count and extension header length. Credit goes to Randell Jesup and the Firefox team for reporting this issue.
  • Loading branch information
jfigus committed Nov 2, 2015
1 parent 1708c33 commit 704a31774db0dd941094fd2b47c21638b8dc3de2
Showing with 5 additions and 5 deletions.
  1. +5 −5 srtp/srtp.c
@@ -950,7 +950,7 @@ srtp_protect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream,
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
return err_status_parse_err;
enc_octet_len = (unsigned int)(*pkt_octet_len -
((uint8_t*)enc_start - (uint8_t*)hdr));
@@ -1077,7 +1077,7 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta,
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
return err_status_parse_err;
/*
* We pass the tag down to the cipher when doing GCM mode
@@ -1307,9 +1307,9 @@ srtp_unprotect_aead (srtp_ctx_t *ctx, srtp_stream_ctx_t *stream, int delta,
if (hdr->x == 1) {
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
return err_status_parse_err;
}
if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
return err_status_parse_err;
enc_octet_len = (unsigned int)(*pkt_octet_len -
((uint8_t*)enc_start - (uint8_t*)hdr));
} else {
@@ -1595,7 +1595,7 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
return err_status_parse_err;
enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len -
((uint8_t*)enc_start - (uint8_t*)hdr));

0 comments on commit 704a317

Please sign in to comment.