Unchecked memcpy in nr_stun_msg_create2

RESOLVED DUPLICATE of bug 818293

Status

()

Core
WebRTC: Networking
RESOLVED DUPLICATE of bug 818293
6 years ago
3 years ago

People

(Reporter: ekr, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The following code is very unsafe. We need to check length somewhere
or alternately truncate to the buffer length.

int
nr_stun_message_create2(nr_stun_message **msg, UCHAR *buffer, int length)
{
    int r,_status;
    nr_stun_message *m = 0;

    if ((r=nr_stun_message_create(&m)))
        ABORT(r);

    memcpy(m->buffer, buffer, length);
    m->length = length;

    *msg = m;

    _status=0;
  abort:
    return(_status);
}
(Reporter)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 818293
Group: core-security
You need to log in before you can comment on or make changes to this bug.