Google Git
Sign in
webrtc / src.git / f75901fa4c5f9a1bcefc265b98a480c72119650c^! / .
commitf75901fa4c5f9a1bcefc265b98a480c72119650c[log] [tgz]
authorhenrika@webrtc.org <henrika@webrtc.org@4adac7df-926f-26a2-2b94-8c16560cd09d>Mon Jan 16 08:45:42 2012
committerhenrika@webrtc.org <henrika@webrtc.org@4adac7df-926f-26a2-2b94-8c16560cd09d>Mon Jan 16 08:45:42 2012
tree13d83dec97e39ae453f4ce5b128baaf1b7265efa
parentf5c657372517947cca2247f3762c9ea59e6fe8c4 [diff]
Resolves CID 10540: Copy into fixed size buffer (STRING_OVERFLOW).

You might overrun the 32 byte fixed-size string "receiveCodec.plname" by copying "payloadName" without checking the length.
Note: This defect has an elevated risk because the source argument is a parameter of the current function.
Review URL: http://webrtc-codereview.appspot.com/352009

git-svn-id: http://webrtc.googlecode.com/svn/trunk@1428 4adac7df-926f-26a2-2b94-8c16560cd09d

diff --git a/src/common_types.h b/src/common_types.h
index 8106945..62eb3db 100644
--- a/src/common_types.h
+++ b/src/common_types.h

@@ -25,6 +25,8 @@
     #define NULL 0
 #endif
 
+#define RTP_PAYLOAD_NAME_SIZE 32
+
 namespace webrtc {
 
 class InStream
@@ -203,7 +205,7 @@
 struct CodecInst
 {
     int pltype;
-    char plname[32];
+    char plname[RTP_PAYLOAD_NAME_SIZE];
     int plfreq;
     int pacsize;
     int channels;

diff --git a/src/modules/rtp_rtcp/interface/rtp_rtcp_defines.h b/src/modules/rtp_rtcp/interface/rtp_rtcp_defines.h
index be04b39..6788499 100644
--- a/src/modules/rtp_rtcp/interface/rtp_rtcp_defines.h
+++ b/src/modules/rtp_rtcp/interface/rtp_rtcp_defines.h

@@ -20,7 +20,6 @@
 
 #define RTCP_CNAME_SIZE 256    // RFC 3550 page 44, including null termination
 #define IP_PACKET_SIZE 1500    // we assume ethernet
-#define RTP_PAYLOAD_NAME_SIZE 32
 #define MAX_NUMBER_OF_PARALLEL_TELEPHONE_EVENTS 10
 #define TIMEOUT_SEI_MESSAGES_MS 30000   // in milliseconds
 

diff --git a/src/voice_engine/main/source/channel.cc b/src/voice_engine/main/source/channel.cc
index e4e5f32..9e00c3e 100644
--- a/src/voice_engine/main/source/channel.cc
+++ b/src/voice_engine/main/source/channel.cc

@@ -645,15 +645,15 @@
 
     assert(VoEChannelId(id) == _channelId);
 
-    CodecInst receiveCodec;
-    CodecInst dummyCodec;
+    CodecInst receiveCodec = {0};
+    CodecInst dummyCodec = {0};
 
     receiveCodec.pltype = payloadType;
-    strcpy(receiveCodec.plname, payloadName);
     receiveCodec.plfreq = frequency;
     receiveCodec.channels = channels;
     receiveCodec.rate = rate;
-
+    strncpy(receiveCodec.plname, payloadName, RTP_PAYLOAD_NAME_SIZE - 1);
+    
     _audioCodingModule.Codec(payloadName, dummyCodec, frequency);
     receiveCodec.pacsize = dummyCodec.pacsize;