diff options
| author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-01-14 19:11:56 +0000 |
|---|---|---|
| committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-01-14 19:11:56 +0000 |
| commit | 218db93ba9b7e54f2f0bc12b738e6d7963b6d8c6 (patch) | |
| tree | 76d1df07e4537f50cd81d2b2adf385db8cd4009b | |
| parent | bab9ab38206adda0737995c4958c8e4810bd55bd (diff) | |
Merged revisions 168604 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r168604 | tilghman | 2009-01-14 13:11:14 -0600 (Wed, 14 Jan 2009) | 14 lines
Merged revisions 168603 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines
Don't read into a buffer without first checking if a value is beyond the end.
(closes issue #13600)
Reported by: atis
Patches:
20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
Tested by: atis
........
................
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.0@168605 f38db490-d61c-443f-a65b-d21fe96a405b
| -rw-r--r-- | main/udptl.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/main/udptl.c b/main/udptl.c index 79fd3809b..6bfcf47b8 100644 --- a/main/udptl.c +++ b/main/udptl.c @@ -176,15 +176,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr) static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) { + if (*len >= limit) + return -1; if ((buf[*len] & 0x80) == 0) { - if (*len >= limit) - return -1; *pvalue = buf[*len]; (*len)++; return 0; } if ((buf[*len] & 0x40) == 0) { - if (*len >= limit - 1) + if (*len == limit - 1) return -1; *pvalue = (buf[*len] & 0x3F) << 8; (*len)++; @@ -192,8 +192,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) (*len)++; return 0; } - if (*len >= limit) - return -1; *pvalue = (buf[*len] & 0x3F) << 14; (*len)++; /* Indicate we have a fragment */ |