From 7a7683567cd830d376330a9f19f2558a66405b55 Mon Sep 17 00:00:00 2001
From: Taylor Brandstetter <deadbeef@webrtc.org>
Date: Wed, 16 Sep 2020 13:10:06 -0700
Subject: [PATCH] Check length before dereferencing SCTP notifications.

Bug: chromium:1127774
Change-Id: I6ccf1f5246dfacb26f480bac899f295f89b53d08
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/184283
Reviewed-by: Harald Alvestrand <hta@webrtc.org>
Commit-Queue: Taylor <deadbeef@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#32189}
---
 media/sctp/sctp_transport.cc | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/media/sctp/sctp_transport.cc b/media/sctp/sctp_transport.cc
index bb520c036f..6dbce1369f 100644
--- a/media/sctp/sctp_transport.cc
+++ b/media/sctp/sctp_transport.cc
@@ -1239,14 +1239,31 @@ void SctpTransport::OnDataFromSctpToTransport(
 void SctpTransport::OnNotificationFromSctp(
     const rtc::CopyOnWriteBuffer& buffer) {
   RTC_DCHECK_RUN_ON(network_thread_);
+  if (buffer.size() < sizeof(sctp_notification::sn_header)) {
+    RTC_LOG(LS_ERROR) << "SCTP notification is shorter than header size: "
+                      << buffer.size();
+    return;
+  }
+
   const sctp_notification& notification =
       reinterpret_cast<const sctp_notification&>(*buffer.data());
-  RTC_DCHECK(notification.sn_header.sn_length == buffer.size());
+  if (buffer.size() != notification.sn_header.sn_length) {
+    RTC_LOG(LS_ERROR) << "SCTP notification length (" << buffer.size()
+                      << ") does not match sn_length field ("
+                      << notification.sn_header.sn_length << ").";
+    return;
+  }
 
   // TODO(ldixon): handle notifications appropriately.
   switch (notification.sn_header.sn_type) {
     case SCTP_ASSOC_CHANGE:
       RTC_LOG(LS_VERBOSE) << "SCTP_ASSOC_CHANGE";
+      if (buffer.size() < sizeof(notification.sn_assoc_change)) {
+        RTC_LOG(LS_ERROR)
+            << "SCTP_ASSOC_CHANGE notification has less than required length: "
+            << buffer.size();
+        return;
+      }
       OnNotificationAssocChange(notification.sn_assoc_change);
       break;
     case SCTP_REMOTE_ERROR:
@@ -1273,6 +1290,12 @@ void SctpTransport::OnNotificationFromSctp(
       RTC_LOG(LS_INFO) << "SCTP_NOTIFICATIONS_STOPPED_EVENT";
       break;
     case SCTP_SEND_FAILED_EVENT: {
+      if (buffer.size() < sizeof(notification.sn_send_failed_event)) {
+        RTC_LOG(LS_ERROR) << "SCTP_SEND_FAILED_EVENT notification has less "
+                             "than required length: "
+                          << buffer.size();
+        return;
+      }
       const struct sctp_send_failed_event& ssfe =
           notification.sn_send_failed_event;
       RTC_LOG(LS_WARNING) << "SCTP_SEND_FAILED_EVENT: message with"
@@ -1285,6 +1308,12 @@ void SctpTransport::OnNotificationFromSctp(
       break;
     }
     case SCTP_STREAM_RESET_EVENT:
+      if (buffer.size() < sizeof(notification.sn_strreset_event)) {
+        RTC_LOG(LS_ERROR) << "SCTP_STREAM_RESET_EVENT notification has less "
+                             "than required length: "
+                          << buffer.size();
+        return;
+      }
       OnStreamResetEvent(&notification.sn_strreset_event);
       break;
     case SCTP_ASSOC_RESET_EVENT: