Commit d4bd43c9 authored by marcus's avatar marcus
Browse files

Fix memory access issue in srtp_get_session_keys()

In srtp_get_session_keys(), when packet size (*pkt_octet_len) is
greater than auth tag length but smaller than (auth tag length + MKI
size), mki_start_location would take on incredible huge values,
leading to memory access issue when calling memcmp() on iOS platform.

Add additional sanity check before calculating mki_start_location.
parent 2761dacf
......@@ -1604,7 +1604,8 @@ srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream,
base_mki_start_location -= tag_len;
for (i = 0; i < stream->num_master_keys; i++) {
if (stream->session_keys[i].mki_size != 0) {
if (stream->session_keys[i].mki_size != 0 &&
stream->session_keys[i].mki_size <= base_mki_start_location) {
*mki_size = stream->session_keys[i].mki_size;
mki_start_location = base_mki_start_location - *mki_size;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment