Commit da9a1a29 authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

SRTP: integer overflow

(cherry picked from commit e76f990e0ba00a9f573c23627ecd66cb9ae9bdd5)
parent f832dd02
...@@ -738,7 +738,7 @@ static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len) ...@@ -738,7 +738,7 @@ static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
{ {
/* Packet in the future, good */ /* Packet in the future, good */
s->rtcp.window = s->rtcp.window << diff; s->rtcp.window = s->rtcp.window << diff;
s->rtcp.window |= 1; s->rtcp.window |= UINT64_C(1);
s->rtcp_index = index; s->rtcp_index = index;
} }
else else
...@@ -747,7 +747,7 @@ static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len) ...@@ -747,7 +747,7 @@ static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
diff = -diff; diff = -diff;
if ((diff >= 64) || ((s->rtcp.window >> diff) & 1)) if ((diff >= 64) || ((s->rtcp.window >> diff) & 1))
return EACCES; // replay attack! return EACCES; // replay attack!
s->rtp.window |= 1 << diff; s->rtp.window |= UINT64_C(1) << diff;
} }
/* Crypts SRTCP */ /* Crypts SRTCP */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment