Overview

File sngrep-1.8.1-CVE-2024-35434.patch of Package sngrep.18414

From da80ced1e3cf6321f748b08e145a829bcc3c90e5 Mon Sep 17 00:00:00 2001
From: Kaian <kaian@irontec.com>
Date: Wed, 24 Apr 2024 09:17:37 +0200
Subject: [PATCH] rtp: properly validate for RTCP headers payload size #481

---
 src/rtp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/rtp.c b/src/rtp.c
index 09bb9fa7..db346081 100644
--- a/src/rtp.c
+++ b/src/rtp.c
@@ -271,6 +271,10 @@ rtp_check_packet(packet_t *packet)
                 // Check RTCP packet header typ
                 switch (hdr.type) {
                     case RTCP_HDR_SR:
+                        // Ensure there is enough payload to fill the header
+                        if (size < sizeof(struct rtcp_hdr_sr))
+                            break;
+
                         // Get Sender Report header
                         memcpy(&hdr_sr, payload, sizeof(hdr_sr));
                         stream->rtcpinfo.spc = ntohl(hdr_sr.spc);
@@ -283,6 +287,10 @@ rtp_check_packet(packet_t *packet)
                     case RTCP_PSFB:
                         break;
                     case RTCP_XR:
+                        // Ensure there is enough payload to fill the header
+                        if (size < sizeof(struct rtcp_hdr_xr))
+                            break;
+
                         // Get Sender Report Extended header
                         memcpy(&hdr_xr, payload, sizeof(hdr_xr));
                         bsize = sizeof(hdr_xr);
openSUSE Build Service is sponsored by
Places