From 9b69f693e495ceef670db6f9147bebd4dd6c835c Mon Sep 17 00:00:00 2001
From: Marco Oliverio <marco@wolfssl.com>
Date: Wed, 19 Jan 2022 12:25:25 +0100
Subject: [PATCH] dtls-srtp: check that length of strings matched before
 memcomparing

otherwise if profile_str_len is > strlen(gSrtpProfiles[i].name) we end up
comparing memory past gSrtpProfiles[i].name. -fsanitize=address catches this:

```
==100159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f40d8d533b2 at pc 0x7f40d8eb014f bp 0x7f40d50fe240 sp 0x7f40d50fd9e8
READ of size 21 at 0x7f40d8d533b2 thread T107
    #0 0x7f40d8eb014e in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
    #1 0x7f40d8eb06e6 in __interceptor_memcmp /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
    #2 0x7f40d8eb06e6 in __interceptor_memcmp /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
    #3 0x7f40d8c2e830 in DtlsSrtpFindProfile src/ssl.c:1310
    #4 0x7f40d8c2e9ed in DtlsSrtpSelProfiles src/ssl.c:1347
    #5 0x7f40d8c2eada in wolfSSL_CTX_set_tlsext_use_srtp src/ssl.c:1359
    #6 0x563bf381b4c5 in server_test examples/server/server.c:2278
    #7 0x7f40d88f0258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
    #8 0x7f40d88195e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
```
---
 src/ssl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/ssl.c b/src/ssl.c
index 3addd1ed1..a1deb34fc 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -1301,13 +1301,18 @@ static const WOLFSSL_SRTP_PROTECTION_PROFILE gSrtpProfiles[] = {
 static const WOLFSSL_SRTP_PROTECTION_PROFILE* DtlsSrtpFindProfile(
     const char* profile_str, word32 profile_str_len, unsigned long id)
 {
+    size_t srtp_profile_len;
     int i;
     const WOLFSSL_SRTP_PROTECTION_PROFILE* profile = NULL;
     for (i=0;
          i<(int)(sizeof(gSrtpProfiles)/sizeof(WOLFSSL_SRTP_PROTECTION_PROFILE));
          i++) {
         if (profile_str != NULL) {
-            if (XMEMCMP(gSrtpProfiles[i].name, profile_str, profile_str_len) 
+            srtp_profile_len = strlen(gSrtpProfiles[i].name);
+            if (srtp_profile_len != profile_str_len)
+                continue;
+
+            if (XMEMCMP(gSrtpProfiles[i].name, profile_str, profile_str_len)
                                                                          == 0) {
                 profile = &gSrtpProfiles[i];
                 break;