diff options
| author | dbailey <dbailey@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-05-10 20:48:54 +0000 |
|---|---|---|
| committer | dbailey <dbailey@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-05-10 20:48:54 +0000 |
| commit | 8a667c5594482d21209b4762f5343d1b92266037 (patch) | |
| tree | 53fecb70b299dc6c512ecf6ef66f9017839294a2 /main/callerid.c | |
| parent | acc92ff02d3edd46ff9acc5365a289a7a3a368f7 (diff) | |
Add test for negative offsets in cid data to prevent infinite loops.
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@63750 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'main/callerid.c')
| -rw-r--r-- | main/callerid.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/main/callerid.c b/main/callerid.c index 9f42ccf1f..901137348 100644 --- a/main/callerid.c +++ b/main/callerid.c @@ -660,6 +660,12 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, int default: ast_log(LOG_NOTICE, "Unknown IE %d\n", cid->rawdata[x-1]); } + if(0 > cid->rawdata[x]){ /* Negative offset in the CID Spill */ + ast_log(LOG_NOTICE, "IE %d has bad field length of %d at offset %d\n", cid->rawdata[x-1], cid->rawdata[x], x); + /* Try again */ + cid->sawflag = 0; + break; /* Exit the loop */ + } x += cid->rawdata[x]; x++; } |