Merged revisions 264400 via svnmerge from

https://origsvn.digium.com/svn/asterisk/trunk ........ r264400 | dvossel | 2010-05-19 15:30:33 -0500 (Wed, 19 May 2010) | 11 lines fixes infinite loop during udptl.c's decode_open_type When decode_length returns the length there is a check to see if that length is negative, if so the decode loop breaks as this means the limit has been reached. The problem here is that length is an unsigned int, so length can never be negative. This resulted in an infinite loop. (issue #17352) ........ git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.2@264405 f38db490-d61c-443f-a65b-d21fe96a405b
author: dvossel <dvossel@f38db490-d61c-443f-a65b-d21fe96a405b> 2010-05-19 20:31:35 +0000
committer: dvossel <dvossel@f38db490-d61c-443f-a65b-d21fe96a405b> 2010-05-19 20:31:35 +0000
commit: a8f67da16d7ff4d49309f9fee4acfa61e3ad4caf (patch)
tree: 32af43d9a6e903d8680e0b690983a4878311b86d
parent: 54cc9736580466d814306297cd650834b6663043 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/main/udptl.c b/main/udptl.c
index b8fde1cc2..d120c27fb 100644
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -226,8 +226,8 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
 {
 	unsigned int octet_cnt;
 	unsigned int octet_idx;
-	unsigned int length;
 	unsigned int i;
+	int length; /* a negative length indicates the limit has been reached in decode_length. */
 	const uint8_t **pbuf;
 
 	for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {
author	dvossel <dvossel@f38db490-d61c-443f-a65b-d21fe96a405b>	2010-05-19 20:31:35 +0000
committer	dvossel <dvossel@f38db490-d61c-443f-a65b-d21fe96a405b>	2010-05-19 20:31:35 +0000
commit	a8f67da16d7ff4d49309f9fee4acfa61e3ad4caf (patch)
tree	32af43d9a6e903d8680e0b690983a4878311b86d
parent	54cc9736580466d814306297cd650834b6663043 (diff)