[Live-devel] Fix for a possible buffer overflow in SDESItem
Jeremy Noring
jnoring at logitech.com
Thu Mar 11 09:13:23 PST 2010
On Thu, Mar 11, 2010 at 9:16 AM, Doug Porter <dsp at exacq.com> wrote:
> Jeremy Noring <jnoring at logitech.com> writes:
> >
> > Actually, on second glance, the only realistic option is to
> > shorten length, because only a single byte is allotted to the
> > size field in fData[1]. (note that length is cast to unsigned
> > char). So in RTCP.cpp, I'd change this line:
> >
> > if (length > 251) length = 251;
>
> The text of an SDES item can be up to 255 octets (IETF RFC 3550
> section 6.5). <http://lists.live555.com/mailman/listinfo/live-devel>
Yeah, I realized that. I also see this code is never called with a buffer
longer than 100 bytes, so it will never overflow. But I'd still fix it,
just in case.
I'd go with:
// first 2 bytes are tag and length, then actual data (max length of
255),
// then at least one byte for null terminator
unsigned char fData[2 + 255 + 1];
...
SDESItem::SDESItem(unsigned char tag, unsigned char const* value) {
unsigned length = strlen((char const*)value);
if (length > 255) length = 255;
fData[0] = tag;
fData[1] = (unsigned char)length;
memcpy(&fData[2], value, length);
fData[2 + length] = '\0';
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20100311/80255c5e/attachment.html>
More information about the live-devel
mailing list