Commit 5496500b authored by Jakub Adam's avatar Jakub Adam

agent: check message length before extracting RFC4571 frame size

nice_socket_recv_messages() may return a NiceInputMessage of length = 0,
so before attempting to read the RFC4571 header check the message really
has at least sizeof (guint16) bytes of data.

The bug's always been there, the previous commit only made it more
apparent.
parent d79d1179
...@@ -3757,7 +3757,7 @@ agent_recv_message_unlocked ( ...@@ -3757,7 +3757,7 @@ agent_recv_message_unlocked (
local_bufs[i + 1].size = message->buffers[i].size; local_bufs[i + 1].size = message->buffers[i].size;
} }
sockret = nice_socket_recv_messages (nicesock, &local_message, 1); sockret = nice_socket_recv_messages (nicesock, &local_message, 1);
if (sockret == 1) { if (sockret == 1 && local_message.length >= sizeof (guint16)) {
message->length = ntohs (rfc4571_frame); message->length = ntohs (rfc4571_frame);
} }
} else { } else {
...@@ -3818,7 +3818,7 @@ agent_recv_message_unlocked ( ...@@ -3818,7 +3818,7 @@ agent_recv_message_unlocked (
NiceInputMessage local_message = { &local_buf, 1, message->from, 0}; NiceInputMessage local_message = { &local_buf, 1, message->from, 0};
sockret = nice_socket_recv_messages (nicesock, &local_message, 1); sockret = nice_socket_recv_messages (nicesock, &local_message, 1);
if (sockret == 1) { if (sockret == 1 && local_message.length >= sizeof (guint16)) {
agent->rfc4571_expecting_length = ntohs (rfc4571_frame); agent->rfc4571_expecting_length = ntohs (rfc4571_frame);
available = g_socket_get_available_bytes (nicesock->fileno); available = g_socket_get_available_bytes (nicesock->fileno);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment