Commit 1c0a17bf authored by Kai Vehmanen's avatar Kai Vehmanen

Fix a memory leak, and a potential segfault in STUN error message encoding. Patch by Mika Saari.

darcs-hash:20060828145528-7659e-406943d07b9b2e77f085a31c88b2e7c0052eaaa1.gz
parent d00543d3
...@@ -382,27 +382,37 @@ int stun_encode_uint32(stun_attr_t *attr) { ...@@ -382,27 +382,37 @@ int stun_encode_uint32(stun_attr_t *attr) {
int stun_encode_error_code(stun_attr_t *attr) { int stun_encode_error_code(stun_attr_t *attr) {
short int class, num; short int class, num;
char *reason; char *reason;
int len; int phrase_len, result;
stun_attr_errorcode_t *error; stun_attr_errorcode_t *error;
error = (stun_attr_errorcode_t *) attr->pattr; error = (stun_attr_errorcode_t *) attr->pattr;
class = error->code / 100; class = error->code / 100;
num = error->code % 100; num = error->code % 100;
len = strlen(error->phrase); phrase_len = strlen(error->phrase);
attr->enc_buf.size = len + (len % 4 == 0? 0 : 4 - (len % 4)); /* note: align the phrase len (see RFC3489:11.2.9) */
phrase_len += (phrase_len % 4 == 0 ? 0 : 4 - (phrase_len % 4));
reason = malloc(attr->enc_buf.size); reason = malloc(attr->enc_buf.size);
memset(reason, 0, attr->enc_buf.size); memset(reason, 0, attr->enc_buf.size);
memcpy(reason, error->phrase, len); memcpy(reason, error->phrase, phrase_len);
/* note: error-code has four octets of headers plus the
* reason field -> len+4 octets */
attr->enc_buf.size = phrase_len + 4;
assert(attr->enc_buf.size + 4 < 65536);
attr->enc_buf.size +=4;
assert(attr->enc_buf.size < 65536);
if (stun_encode_type_len(attr, (uint16_t)attr->enc_buf.size) < 0) { if (stun_encode_type_len(attr, (uint16_t)attr->enc_buf.size) < 0) {
return -1; result = -1;
} }
memset(attr->enc_buf.data+4, 0, 2); else {
memcpy(attr->enc_buf.data+6, &class, 1); memset(attr->enc_buf.data+4, 0, 2);
memcpy(attr->enc_buf.data+7, &num, 1); memcpy(attr->enc_buf.data+6, &class, 1);
memcpy(attr->enc_buf.data+8, reason, attr->enc_buf.size - 4); memcpy(attr->enc_buf.data+7, &num, 1);
/* note: 4 octets of TLV header and 4 octets of error-code header */
memcpy(attr->enc_buf.data+8, reason, attr->enc_buf.size - 8);
}
free(reason);
return attr->enc_buf.size; return attr->enc_buf.size;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment