bounds check length passed to memcpy.

git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@6846 d0543943-73ff-0310-b7d9-9358b9ac24b2

bounds check length passed to memcpy.
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@6846 d0543943-73ff-0310-b7d9-9358b9ac24b2
6683db65 · Michael Jerris · 304d5004 · 6683db65
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -215,8 +215,13 @@ static void handle_ice(switch_rtp_t *rtp_session, void *data, switch_size_t len)
 	switch_stun_packet_attribute_t *attr;
 	char username[33] = { 0 };
 	unsigned char buf[512] = { 0 };
+	switch_size_t cpylen = len;
+	
+	if (cpylen > 512) {
+		cpylen = 512;
+	}

-	memcpy(buf, data, len);
+	memcpy(buf, data, cpylen);
 	packet = switch_stun_packet_parse(buf, sizeof(buf));
 	rtp_session->last_stun = switch_time_now();

@@ -1651,6 +1656,10 @@ SWITCH_DECLARE(int) switch_rtp_write_manual(switch_rtp_t *rtp_session,
 		return -1;
 	}

+	if (datalen > SWITCH_RTP_MAX_BUF_LEN) {
+		return -1;
+	}
+
 	send_msg = rtp_session->send_msg;
 	send_msg.header.seq = htons(mseq);
 	send_msg.header.ts = htonl(ts);