mirrors/coturn
1
0
Fork 0
mirror of https://github.com/coturn/coturn.git synced 2026-05-05 02:46:08 +02:00
Code Issues Projects Releases Wiki Activity

Fix buffer overflow in decrypt_aes_128 (#1799)

Browse Source 
**Issue**: 

strcat(last, (char *)outdata) was used with a fixed
buffer last[1024]. outdata is decryption output that is not
null-terminated (CRYPTO_ctr128_encrypt writes newTotalSize bytes). This
could read past outdata and/or overflow last if decrypted size grew.

**Fix**: 

Replace with bounded copy using memcpy and explicit null
termination, limiting bytes copied to remaining space in last and to
sizeof(outdata).
This commit is contained in:
Pavel Punsky 2026-02-15 17:42:01 -08:00 committed by GitHub
parent 7f7dc99d3e
commit b69ceb4252
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/apps/relay/mainrelay.c
View File

@ -1843,20 +1843,23 @@ int decodedTextSize(char *input) {
void decrypt_aes_128(char *in, const unsigned char *mykey) {
unsigned char iv[8] = {0};
AES_KEY key;
unsigned char outdata[256] = {0};
AES_set_encrypt_key(mykey, 128, &key);
const int newTotalSize = decodedTextSize(in);
int newTotalSize = decodedTextSize(in);
const int bytes_to_decode = strlen(in);
unsigned char *encryptedText = base64decode(in, bytes_to_decode);
char last[1024] = "";
struct ctr_state state;
init_ctr(&state, iv);
CRYPTO_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num,
if (newTotalSize > (int)(sizeof(last) - 1)) {
newTotalSize = sizeof(last) - 1;
}
CRYPTO_ctr128_encrypt(encryptedText, (unsigned char *)last, newTotalSize, &key, state.ivec, state.ecount, &state.num,
(block128_f)AES_encrypt);
free(encryptedText);
strcat(last, (char *)outdata);
last[newTotalSize] = '\0';
printf("%s\n", last);
}