From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001 From: sauwming Date: Tue, 7 Jun 2022 12:00:13 +0800 Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj [Retrieved from: https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202] Signed-off-by: Fabrice Fontaine --- pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c index 722519584..d0549176d 100644 --- a/pjlib-util/src/pjlib-util/stun_simple.c +++ b/pjlib-util/src/pjlib-util/stun_simple.c @@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len, { pj_uint16_t msg_type, msg_len; char *p_attr; + int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr); PJ_CHECK_STACK(); @@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len, msg->attr_count = 0; p_attr = (char*)buf + sizeof(pjstun_msg_hdr); - while (msg_len > 0) { + while (msg_len > 0 && msg->attr_count < attr_max_cnt) { pjstun_attr_hdr **attr = &msg->attr[msg->attr_count]; pj_uint32_t len; pj_uint16_t attr_type; @@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len, p_attr += len; ++msg->attr_count; } + if (msg->attr_count == attr_max_cnt) { + PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.", + attr_max_cnt)); + } return PJ_SUCCESS; }