diff options
| author | Pascal Buhler <pabuhler@cisco.com> | 2018-02-08 07:37:48 +0100 |
|---|---|---|
| committer | Pascal Buhler <pabuhler@cisco.com> | 2018-02-09 09:00:41 +0100 |
| commit | 9546e959f9c02a5b5f250d7841a537e89a4f4434 (patch) | |
| tree | f9304fdcbec4e8286f120a261bbbdc02cd1d6333 /srtp | |
| parent | 8ec13a7eb1fa099daef61745533f4661277c1e16 (diff) | |
| download | libsrtp2-9546e959f9c02a5b5f250d7841a537e89a4f4434.tar.gz | |
Prevent OOB access of stream_template->session_keys
The template may not have been used for the deallocated
stream, therefore the size of the session_keys array
could be different.
Should maybe contain a pointer to template from stream
so it is explicitly known that it was used.
Diffstat (limited to 'srtp')
| -rw-r--r-- | srtp/srtp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/srtp/srtp.c b/srtp/srtp.c index abaccf4..405d1ce 100644 --- a/srtp/srtp.c +++ b/srtp/srtp.c @@ -164,7 +164,8 @@ srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream, for (i = 0; i < stream->num_master_keys; i++) { session_keys = &stream->session_keys[i]; - if (stream_template) { + if (stream_template && + stream->num_master_keys == stream_template->num_master_keys) { template_session_keys = &stream_template->session_keys[i]; } else { template_session_keys = NULL; |