From 6b1eec0630516698ac9cd3343ef7eb8515fee231 Mon Sep 17 00:00:00 2001 From: Jakub Adam Date: Thu, 3 Jan 2019 21:26:41 +0100 Subject: [PATCH] udp-turn: Avoid potential integer overflow --- socket/udp-turn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/socket/udp-turn.c b/socket/udp-turn.c index 1bc5e031..c3b152d1 100644 --- a/socket/udp-turn.c +++ b/socket/udp-turn.c @@ -362,7 +362,7 @@ socket_recv_messages (NiceSocket *sock, guint f_buffer_len = priv->fragment_buffer->len; for (i = 0; i < n_recv_messages && f_buffer_len >= sizeof (guint16); ++i) { - guint16 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16); + guint32 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16); if (msg_len > f_buffer_len) { /* The next message in the buffer isn't complete yet. Wait for more @@ -450,7 +450,7 @@ socket_recv_messages (NiceSocket *sock, if (nice_socket_is_reliable (sock) && parsed_buffer_length > 0) { /* Determine the portion of the current NiceInputMessage we can already * return. */ - guint16 msg_len = 0; + gint32 msg_len = 0; if (!priv->fragment_buffer) { msg_len = ((buffer[0] << 8) | buffer[1]) + sizeof (guint16); if (msg_len > parsed_buffer_length) {