mirrors/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2025-11-04 17:01:39 +01:00
Code Issues Projects Releases Wiki Activity

Fix memcpy len checks stun_is_challenge_response_str (#1280)

Browse Source 
Add missing checks for length of realm/nonce/server_name before copying
those values to the buffer passed to stun_is_challenge_response_str.

The function stun_is_challenge_response_str is only used in uclient test
application.

Thank you very much @0xdea

Co-authored-by: Gustavo Garcia <gustavogb@mail.com>
This commit is contained in:
Gustavo Garcia 2023-10-02 16:19:38 +02:00 committed by GitHub
parent 17e3b81a36
commit 4e0d21e1b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/apps/common/ns_turn_utils.h
View File

@ -96,6 +96,10 @@ int is_secure_string(const uint8_t *string, int sanitizesql);
/////////////////////////////////////////////////////// ///////////////////////////////////////////////////////
#if !defined(min)
#define min(a, b) ((a) <= (b) ? (a) : (b))
#endif
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

7
src/client/ns_turn_msg.c
View File

@ -34,6 +34,7 @@
///////////// Security functions implementation from ns_turn_msg.h /////////// ///////////// Security functions implementation from ns_turn_msg.h ///////////
#include "ns_turn_openssl.h" #include "ns_turn_openssl.h"
#include "ns_turn_utils.h"
/////////// ///////////
@ -546,24 +547,23 @@ int stun_is_challenge_response_str(const uint8_t *buf, size_t len, int *err_code
int ret = stun_is_error_response_str(buf, len, err_code, err_msg, err_msg_size); int ret = stun_is_error_response_str(buf, len, err_code, err_msg, err_msg_size);
if (ret && (((*err_code) == 401) || ((*err_code) == 438))) { if (ret && (((*err_code) == 401) || ((*err_code) == 438))) {
stun_attr_ref sar = stun_attr_get_first_by_type_str(buf, len, STUN_ATTRIBUTE_REALM); stun_attr_ref sar = stun_attr_get_first_by_type_str(buf, len, STUN_ATTRIBUTE_REALM);
if (sar) { if (sar) {
int found_oauth = 0; int found_oauth = 0;
const uint8_t *value = stun_attr_get_value(sar); const uint8_t *value = stun_attr_get_value(sar);
if (value) { if (value) {
size_t vlen = (size_t)stun_attr_get_len(sar); size_t vlen = (size_t)stun_attr_get_len(sar);
vlen = min(vlen, STUN_MAX_REALM_SIZE);
memcpy(realm, value, vlen); memcpy(realm, value, vlen);
realm[vlen] = 0; realm[vlen] = 0;
{ {
sar = stun_attr_get_first_by_type_str(buf, len, STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION); sar = stun_attr_get_first_by_type_str(buf, len, STUN_ATTRIBUTE_THIRD_PARTY_AUTHORIZATION);
if (sar) { if (sar) {
value = stun_attr_get_value(sar); value = stun_attr_get_value(sar);
if (value) { if (value) {
vlen = (size_t)stun_attr_get_len(sar); vlen = (size_t)stun_attr_get_len(sar);
vlen = min(vlen, STUN_MAX_SERVER_NAME_SIZE);
if (vlen > 0) { if (vlen > 0) {
if (server_name) { if (server_name) {
memcpy(server_name, value, vlen); memcpy(server_name, value, vlen);
@ -579,6 +579,7 @@ int stun_is_challenge_response_str(const uint8_t *buf, size_t len, int *err_code
value = stun_attr_get_value(sar); value = stun_attr_get_value(sar);
if (value) { if (value) {
vlen = (size_t)stun_attr_get_len(sar); vlen = (size_t)stun_attr_get_len(sar);
vlen = min(vlen, STUN_MAX_NONCE_SIZE);
memcpy(nonce, value, vlen); memcpy(nonce, value, vlen);
nonce[vlen] = 0; nonce[vlen] = 0;
if (oauth) { if (oauth) {

4
src/server/ns_turn_server.c
View File

@ -3165,10 +3165,6 @@ static int create_challenge_response(ts_ur_super_session *ss, stun_tid *tid, int
return 0; return 0;
} }
#if !defined(min)
#define min(a, b) ((a) <= (b) ? (a) : (b))
#endif
static void resume_processing_after_username_check(int success, int oauth, int max_session_time, hmackey_t hmackey, static void resume_processing_after_username_check(int success, int oauth, int max_session_time, hmackey_t hmackey,
password_t pwd, turn_turnserver *server, uint64_t ctxkey, password_t pwd, turn_turnserver *server, uint64_t ctxkey,
ioa_net_data *in_buffer, uint8_t *realm) { ioa_net_data *in_buffer, uint8_t *realm) {