From eae378c767dc6a245a721163d64133ede9b3831f Mon Sep 17 00:00:00 2001
From: Sebastian Reimers <hallo@studio-link.de>
Date: Wed, 16 Mar 2022 14:05:35 +0100
Subject: [PATCH] srtp/srtcp: add sanity check for rtcp->tag_len

Ref: https://sonarcloud.io/project/issues?issues=AX9vBNA_YH-a2i9ountq&open=AX9vBNA_YH-a2i9ountq&id=baresip_re
---
 src/srtp/srtcp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/srtp/srtcp.c b/src/srtp/srtcp.c
index 4f8ed9e67..4be0cc169 100644
--- a/src/srtp/srtcp.c
+++ b/src/srtp/srtcp.c
@@ -172,6 +172,9 @@ int srtcp_decrypt(struct srtp *srtp, struct mbuf *mb)
 		uint8_t tag_pkt[SHA_DIGEST_LENGTH] = {0};
 		const size_t tag_start = mb->pos;
 
+		if (rtcp->tag_len > SHA_DIGEST_LENGTH)
+			return ERANGE;
+
 		err = mbuf_read_mem(mb, tag_pkt, rtcp->tag_len);
 		if (err)
 			return err;