Skip to content

Commit

Permalink
Prevent our sctp implementation from corrupting its inbound messages.
Browse files Browse the repository at this point in the history
  • Loading branch information
Shpoike committed Apr 17, 2023
1 parent 2c8c9b6 commit 02a8a4f
Showing 1 changed file with 12 additions and 2 deletions.
14 changes: 12 additions & 2 deletions engine/common/net_ice.c
Original file line number Diff line number Diff line change
Expand Up @@ -3510,7 +3510,7 @@ static void SCTP_Decode(sctp_t *sctp, struct icestate_s *peer, ftenet_connection
qbyte resp[4096];

qbyte *msg = net_message.data;
qbyte *msgend = net_message.data+net_message.cursize;
qbyte *msgend = msg+net_message.cursize;
struct sctp_header_s *h = (struct sctp_header_s*)msg;
struct sctp_chunk_s *c = (struct sctp_chunk_s*)(h+1);
quint16_t clen;
Expand All @@ -3531,11 +3531,21 @@ static void SCTP_Decode(sctp_t *sctp, struct icestate_s *peer, ftenet_connection
return; //mimic chrome, despite it being pointless.
}

//passed the simple header checks, spend a memcpy...
msg = alloca(net_message.cursize);
memcpy(msg, net_message.data, net_message.cursize);
msgend = msg+net_message.cursize;
h = (struct sctp_header_s*)msg;
c = (struct sctp_chunk_s*)(h+1);

while ((qbyte*)(c+1) <= msgend)
{
clen = BigShort(c->length);
if ((qbyte*)c + clen > msgend || clen < sizeof(*c))
break; //corrupt
{
Con_Printf(CON_ERROR"Corrupt SCTP message\n");
break;
}
safeswitch(c->type)
{
case SCTP_TYPE_DATA:
Expand Down

0 comments on commit 02a8a4f

Please sign in to comment.