ooh323c: not checking for IE minimum length

When decoding q.931 encoded calling/called number now checking for length being less than minimum required. ASTERISK-30103 Change-Id: I3dcfce0f35eca258dc450f87c92d4d7af402c2e7
2025-10-31 10:47:18 +00:00 · 2022-06-06 17:11:30 -06:00
parent 37b0727288
commit 16a7a98643
1 changed files with 9 additions and 6 deletions
--- a/addons/ooh323c/src/ooq931.c
+++ b/addons/ooh323c/src/ooq931.c
@@ -192,11 +192,13 @@ EXTERN int ooQ931Decode
         screening indicators ;-) */
      if(ie->discriminator == Q931CallingPartyNumberIE)
      {
+         int numoffset=1;
         OOTRACEDBGB1("   CallingPartyNumber IE = {\n");
-         if(ie->length < OO_MAX_NUMBER_LENGTH)
+         if(!(0x80 & ie->data[0])) numoffset = 2;
+
+         if( (ie->length >= numoffset) &&
+             (ie->length < OO_MAX_NUMBER_LENGTH) )
         {
-            int numoffset=1;
-            if(!(0x80 & ie->data[0])) numoffset = 2;
            memcpy(number, ie->data+numoffset,ie->length-numoffset);
            number[ie->length-numoffset]='\0';
            OOTRACEDBGB2("      %s\n", number);
@@ -204,7 +206,7 @@ EXTERN int ooQ931Decode
               ooCallSetCallingPartyNumber(call, number);
         }
         else{
-            OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+            OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
                           call->callType, call->callToken);
         }
         OOTRACEDBGB1("   }\n");
@@ -214,7 +216,8 @@ EXTERN int ooQ931Decode
      if(ie->discriminator == Q931CalledPartyNumberIE)
      {
         OOTRACEDBGB1("   CalledPartyNumber IE = {\n");
-         if(ie->length < OO_MAX_NUMBER_LENGTH)
+         if( (ie->length >= 1) &&
+             (ie->length < OO_MAX_NUMBER_LENGTH) )
         {
            memcpy(number, ie->data+1,ie->length-1);
            number[ie->length-1]='\0';
@@ -223,7 +226,7 @@ EXTERN int ooQ931Decode
               ooCallSetCalledPartyNumber(call, number);
         }
         else{
-            OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+            OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
                           call->callType, call->callToken);
         }
         OOTRACEDBGB1("   }\n");