summaryrefslogtreecommitdiff
path: root/agent
diff options
context:
space:
mode:
authorJakub Adam <jakub.adam@ktknet.cz>2018-10-31 01:56:39 +0100
committerJakub Adam <jakub.adam@ktknet.cz>2018-10-31 12:45:16 +0100
commit5496500b1535d9343fdac2a3408864643fe65d7e (patch)
tree9d293f82952f99d6c555cca7898e16bbe2c91a79 /agent
parentd79d1179113f4847aceb8249ce7d75ca6fc8c140 (diff)
downloadlibnice-5496500b1535d9343fdac2a3408864643fe65d7e.tar.gz
agent: check message length before extracting RFC4571 frame size
nice_socket_recv_messages() may return a NiceInputMessage of length = 0, so before attempting to read the RFC4571 header check the message really has at least sizeof (guint16) bytes of data. The bug's always been there, the previous commit only made it more apparent.
Diffstat (limited to 'agent')
-rw-r--r--agent/agent.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/agent/agent.c b/agent/agent.c
index ed3bfd5..c4de0af 100644
--- a/agent/agent.c
+++ b/agent/agent.c
@@ -3757,7 +3757,7 @@ agent_recv_message_unlocked (
local_bufs[i + 1].size = message->buffers[i].size;
}
sockret = nice_socket_recv_messages (nicesock, &local_message, 1);
- if (sockret == 1) {
+ if (sockret == 1 && local_message.length >= sizeof (guint16)) {
message->length = ntohs (rfc4571_frame);
}
} else {
@@ -3818,7 +3818,7 @@ agent_recv_message_unlocked (
NiceInputMessage local_message = { &local_buf, 1, message->from, 0};
sockret = nice_socket_recv_messages (nicesock, &local_message, 1);
- if (sockret == 1) {
+ if (sockret == 1 && local_message.length >= sizeof (guint16)) {
agent->rfc4571_expecting_length = ntohs (rfc4571_frame);
available = g_socket_get_available_bytes (nicesock->fileno);
}