Fix calculation of RTP/SRTP packet end address
Our validation of `enc_start` was subtly wrong; we were adding a length
in octets as a length in 4 byte words. This would allow underflow of
`enc_octet_len`. This commit corrects the calculation.
Relates-to: fe367616718862a228f5859b83c383593dd4b79d
diff --git a/srtp/srtp.c b/srtp/srtp.c
index 1f7ac12..a17732a 100644
--- a/srtp/srtp.c
+++ b/srtp/srtp.c
@@ -886,7 +886,7 @@
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
- if (!(enc_start < (uint32_t*)hdr + *pkt_octet_len))
+ if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
return err_status_parse_err;
enc_octet_len = (unsigned int)(*pkt_octet_len -
((enc_start - (uint32_t*)hdr) << 2));
@@ -1013,7 +1013,7 @@
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t*)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
- if (!(enc_start < (uint32_t*)hdr + *pkt_octet_len))
+ if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
return err_status_parse_err;
/*
* We pass the tag down to the cipher when doing GCM mode
@@ -1238,7 +1238,7 @@
if (hdr->x == 1) {
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
- if (!(enc_start < (uint32_t*)hdr + *pkt_octet_len))
+ if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
return err_status_parse_err;
}
enc_octet_len = (unsigned int)(*pkt_octet_len
@@ -1521,7 +1521,7 @@
srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
enc_start += (ntohs(xtn_hdr->length) + 1);
}
- if (!(enc_start < (uint32_t*)hdr + *pkt_octet_len))
+ if (!((uint8_t*)enc_start < (uint8_t*)hdr + *pkt_octet_len))
return err_status_parse_err;
enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len
- ((enc_start - (uint32_t *)hdr) << 2));