From a09aa989b667481f33e5602bf30028d5a264d4e7 Mon Sep 17 00:00:00 2001 From: Pavel Punsky Date: Mon, 5 Sep 2022 12:07:07 -0700 Subject: [PATCH] Do not write outside of a buffer in admin interface (#972) Writing outside of a buffer can only happen if incoming HTTP request is longer than UDP_STUN_BUFFER_SIZE (16KB). This change validates that the request is no longer than the buffer size and drops it if it is the case Fixes #342 Test plan: - Run in debugger and send a 16KB request using curl - response returns, logs correct - Send 16KB + 1b request - warning logged and request dropped Co-authored-by: Pavel Punsky --- src/apps/relay/turn_admin_server.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/apps/relay/turn_admin_server.c b/src/apps/relay/turn_admin_server.c index 7ad2ab15..965a2336 100644 --- a/src/apps/relay/turn_admin_server.c +++ b/src/apps/relay/turn_admin_server.c @@ -1202,7 +1202,11 @@ static void web_admin_input_handler(ioa_socket_handle s, int event_type, int to_be_closed = 0; int buffer_size = (int)ioa_network_buffer_get_size(in_buffer->nbh); - if (buffer_size > 0) { + if (buffer_size >= UDP_STUN_BUFFER_SIZE) { + TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING, "%s: request is too big: %d\n", __FUNCTION__, buffer_size); + to_be_closed = 1; + } + else if (buffer_size > 0) { SOCKET_TYPE st = get_ioa_socket_type(s);