kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-10-14 00:24:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Don't read into a buffer without first checking if a value is beyond the end.

Browse Source 
(closes issue #13600)
 Reported by: atis
 Patches: 
       20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
 Tested by: atis


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@168603 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Tilghman Lesher
2009-01-14 19:02:55 +00:00
parent 3af85c8b97
commit 99313c7b92
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
main/udptl.c
View File

@@ -156,15 +156,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr)
static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
{ {
if (*len >= limit)
return -1;
if ((buf[*len] & 0x80) == 0) { if ((buf[*len] & 0x80) == 0) {
if (*len >= limit)
return -1;
*pvalue = buf[*len]; *pvalue = buf[*len];
(*len)++; (*len)++;
return 0; return 0;
} }
if ((buf[*len] & 0x40) == 0) { if ((buf[*len] & 0x40) == 0) {
if (*len >= limit - 1) if (*len == limit - 1)
return -1; return -1;
*pvalue = (buf[*len] & 0x3F) << 8; *pvalue = (buf[*len] & 0x3F) << 8;
(*len)++; (*len)++;
@@ -172,8 +172,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
(*len)++; (*len)++;
return 0; return 0;
} }
if (*len >= limit)
return -1;
*pvalue = (buf[*len] & 0x3F) << 14; *pvalue = (buf[*len] & 0x3F) << 14;
(*len)++; (*len)++;
/* Indicate we have a fragment */ /* Indicate we have a fragment */