diff options
| author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-01-14 19:02:55 +0000 |
|---|---|---|
| committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-01-14 19:02:55 +0000 |
| commit | 232d13bac0be2c04f01eafe1b43eb9d5aa88fe88 (patch) | |
| tree | cd5540c95b11db7e7bea8412a8081120c3640f2f | |
| parent | 280044ed2c2fe53ebe679164488cfa36983f37f9 (diff) | |
Don't read into a buffer without first checking if a value is beyond the end.
(closes issue #13600)
Reported by: atis
Patches:
20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
Tested by: atis
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@168603 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | main/udptl.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/main/udptl.c b/main/udptl.c index a9386ac09..679282731 100644 --- a/main/udptl.c +++ b/main/udptl.c @@ -156,15 +156,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr) static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) { + if (*len >= limit) + return -1; if ((buf[*len] & 0x80) == 0) { - if (*len >= limit) - return -1; *pvalue = buf[*len]; (*len)++; return 0; } if ((buf[*len] & 0x40) == 0) { - if (*len >= limit - 1) + if (*len == limit - 1) return -1; *pvalue = (buf[*len] & 0x3F) << 8; (*len)++; @@ -172,8 +172,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) (*len)++; return 0; } - if (*len >= limit) - return -1; *pvalue = (buf[*len] & 0x3F) << 14; (*len)++; /* Indicate we have a fragment */ |