From 5496500b1535d9343fdac2a3408864643fe65d7e Mon Sep 17 00:00:00 2001
From: Jakub Adam <jakub.adam@ktknet.cz>
Date: Wed, 31 Oct 2018 01:56:39 +0100
Subject: agent: check message length before extracting RFC4571 frame size

nice_socket_recv_messages() may return a NiceInputMessage of length = 0,
so before attempting to read the RFC4571 header check the message really
has at least sizeof (guint16) bytes of data.

The bug's always been there, the previous commit only made it more
apparent.
---
 agent/agent.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/agent/agent.c b/agent/agent.c
index ed3bfd5..c4de0af 100644
--- a/agent/agent.c
+++ b/agent/agent.c
@@ -3757,7 +3757,7 @@ agent_recv_message_unlocked (
         local_bufs[i + 1].size = message->buffers[i].size;
       }
       sockret = nice_socket_recv_messages (nicesock, &local_message, 1);
-      if (sockret == 1) {
+      if (sockret == 1 && local_message.length >= sizeof (guint16)) {
         message->length = ntohs (rfc4571_frame);
       }
     } else {
@@ -3818,7 +3818,7 @@ agent_recv_message_unlocked (
             NiceInputMessage local_message = { &local_buf, 1, message->from, 0};
 
             sockret = nice_socket_recv_messages (nicesock, &local_message, 1);
-            if (sockret == 1) {
+            if (sockret == 1 && local_message.length >= sizeof (guint16)) {
               agent->rfc4571_expecting_length = ntohs (rfc4571_frame);
               available = g_socket_get_available_bytes (nicesock->fileno);
             }
-- 
cgit v1.2.1