diff options
author | dbailey <dbailey@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-05-10 21:25:05 +0000 |
---|---|---|
committer | dbailey <dbailey@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-05-10 21:25:05 +0000 |
commit | ea954e241155cd964361151e8a4f13a77d34f171 (patch) | |
tree | 969d84c5a81c2a506f41d695f709633316631e80 | |
parent | d0fcd9f645d580c1898fb2fa3e950c216b9e6d57 (diff) |
Added check for negative offset in cid spill to prevent infinite loops
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@63786 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r-- | main/callerid.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/main/callerid.c b/main/callerid.c index 002666aa9..74b8d9200 100644 --- a/main/callerid.c +++ b/main/callerid.c @@ -636,6 +636,12 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, int default: ast_log(LOG_NOTICE, "Unknown IE %d\n", cid->rawdata[x - 1]); } + if(0 > cid->rawdata[x]){ /* Negative offset in the CID Spill */ + ast_log(LOG_NOTICE, "IE %d has bad field length of %d at offset %d\n", cid->rawdata[x-1], cid->rawdata[x], x); + /* Try again */ + cid->sawflag = 0; + break; /* Exit the loop */ + } x += cid->rawdata[x]; x++; } |