Closed Bug 818292 Opened 12 years ago Closed 12 years ago

Unchecked memcpy in nr_stun_msg_create2

Categories

(Core :: WebRTC: Networking, defect)

Product:
Core
Component:
WebRTC: Networking
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 818293

People

(Reporter: ekr, Unassigned)

Details

The following code is very unsafe. We need to check length somewhere or alternately truncate to the buffer length. int nr_stun_message_create2(nr_stun_message **msg, UCHAR *buffer, int length) { int r,_status; nr_stun_message *m = 0; if ((r=nr_stun_message_create(&m))) ABORT(r); memcpy(m->buffer, buffer, length); m->length = length; *msg = m; _status=0; abort: return(_status); }
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.