Prevent our sctp implementation from corrupting its inbound messages.
This commit is contained in:
parent
2c8c9b615f
commit
02a8a4fb76
1 changed files with 12 additions and 2 deletions
|
@ -3510,7 +3510,7 @@ static void SCTP_Decode(sctp_t *sctp, struct icestate_s *peer, ftenet_connection
|
||||||
qbyte resp[4096];
|
qbyte resp[4096];
|
||||||
|
|
||||||
qbyte *msg = net_message.data;
|
qbyte *msg = net_message.data;
|
||||||
qbyte *msgend = net_message.data+net_message.cursize;
|
qbyte *msgend = msg+net_message.cursize;
|
||||||
struct sctp_header_s *h = (struct sctp_header_s*)msg;
|
struct sctp_header_s *h = (struct sctp_header_s*)msg;
|
||||||
struct sctp_chunk_s *c = (struct sctp_chunk_s*)(h+1);
|
struct sctp_chunk_s *c = (struct sctp_chunk_s*)(h+1);
|
||||||
quint16_t clen;
|
quint16_t clen;
|
||||||
|
@ -3531,11 +3531,21 @@ static void SCTP_Decode(sctp_t *sctp, struct icestate_s *peer, ftenet_connection
|
||||||
return; //mimic chrome, despite it being pointless.
|
return; //mimic chrome, despite it being pointless.
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//passed the simple header checks, spend a memcpy...
|
||||||
|
msg = alloca(net_message.cursize);
|
||||||
|
memcpy(msg, net_message.data, net_message.cursize);
|
||||||
|
msgend = msg+net_message.cursize;
|
||||||
|
h = (struct sctp_header_s*)msg;
|
||||||
|
c = (struct sctp_chunk_s*)(h+1);
|
||||||
|
|
||||||
while ((qbyte*)(c+1) <= msgend)
|
while ((qbyte*)(c+1) <= msgend)
|
||||||
{
|
{
|
||||||
clen = BigShort(c->length);
|
clen = BigShort(c->length);
|
||||||
if ((qbyte*)c + clen > msgend || clen < sizeof(*c))
|
if ((qbyte*)c + clen > msgend || clen < sizeof(*c))
|
||||||
break; //corrupt
|
{
|
||||||
|
Con_Printf(CON_ERROR"Corrupt SCTP message\n");
|
||||||
|
break;
|
||||||
|
}
|
||||||
safeswitch(c->type)
|
safeswitch(c->type)
|
||||||
{
|
{
|
||||||
case SCTP_TYPE_DATA:
|
case SCTP_TYPE_DATA:
|
||||||
|
|
Loading…
Reference in a new issue