Commit d4bd43c9 authored by marcus's avatar marcus

Fix memory access issue in srtp_get_session_keys()

Issue:
In srtp_get_session_keys(), when packet size (*pkt_octet_len) is
greater than auth tag length but smaller than (auth tag length + MKI
size), mki_start_location would take on incredible huge values,
leading to memory access issue when calling memcmp() on iOS platform.

Fix:
Add additional sanity check before calculating mki_start_location.
parent 2761dacf
...@@ -1604,7 +1604,8 @@ srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream, ...@@ -1604,7 +1604,8 @@ srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream,
base_mki_start_location -= tag_len; base_mki_start_location -= tag_len;
for (i = 0; i < stream->num_master_keys; i++) { for (i = 0; i < stream->num_master_keys; i++) {
if (stream->session_keys[i].mki_size != 0) { if (stream->session_keys[i].mki_size != 0 &&
stream->session_keys[i].mki_size <= base_mki_start_location) {
*mki_size = stream->session_keys[i].mki_size; *mki_size = stream->session_keys[i].mki_size;
mki_start_location = base_mki_start_location - *mki_size; mki_start_location = base_mki_start_location - *mki_size;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment