From 02a8a4fb76bf32cbaa11236d59fe5719cb41c47d Mon Sep 17 00:00:00 2001 From: Shpoike Date: Mon, 20 Feb 2023 12:17:17 +0000 Subject: [PATCH] Prevent our sctp implementation from corrupting its inbound messages. --- engine/common/net_ice.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/engine/common/net_ice.c b/engine/common/net_ice.c index 50999ac40..53c4f2f36 100644 --- a/engine/common/net_ice.c +++ b/engine/common/net_ice.c @@ -3510,7 +3510,7 @@ static void SCTP_Decode(sctp_t *sctp, struct icestate_s *peer, ftenet_connection qbyte resp[4096]; qbyte *msg = net_message.data; - qbyte *msgend = net_message.data+net_message.cursize; + qbyte *msgend = msg+net_message.cursize; struct sctp_header_s *h = (struct sctp_header_s*)msg; struct sctp_chunk_s *c = (struct sctp_chunk_s*)(h+1); quint16_t clen; @@ -3531,11 +3531,21 @@ static void SCTP_Decode(sctp_t *sctp, struct icestate_s *peer, ftenet_connection return; //mimic chrome, despite it being pointless. } + //passed the simple header checks, spend a memcpy... + msg = alloca(net_message.cursize); + memcpy(msg, net_message.data, net_message.cursize); + msgend = msg+net_message.cursize; + h = (struct sctp_header_s*)msg; + c = (struct sctp_chunk_s*)(h+1); + while ((qbyte*)(c+1) <= msgend) { clen = BigShort(c->length); if ((qbyte*)c + clen > msgend || clen < sizeof(*c)) - break; //corrupt + { + Con_Printf(CON_ERROR"Corrupt SCTP message\n"); + break; + } safeswitch(c->type) { case SCTP_TYPE_DATA: