diff options
author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-01-14 19:11:14 +0000 |
---|---|---|
committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2009-01-14 19:11:14 +0000 |
commit | ec7564e8529e95a2f6123d195c590f3d3b2f6281 (patch) | |
tree | 449b44c81aba0e00dca4ee8dcc3c8cea7fbec631 /main/udptl.c | |
parent | cf93c22a55bca32b214d04a57f8e80601ca8a3c6 (diff) |
Merged revisions 168603 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines
Don't read into a buffer without first checking if a value is beyond the end.
(closes issue #13600)
Reported by: atis
Patches:
20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
Tested by: atis
........
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@168604 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'main/udptl.c')
-rw-r--r-- | main/udptl.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/main/udptl.c b/main/udptl.c index 52f7c99f2..9c64d06d4 100644 --- a/main/udptl.c +++ b/main/udptl.c @@ -176,15 +176,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr) static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) { + if (*len >= limit) + return -1; if ((buf[*len] & 0x80) == 0) { - if (*len >= limit) - return -1; *pvalue = buf[*len]; (*len)++; return 0; } if ((buf[*len] & 0x40) == 0) { - if (*len >= limit - 1) + if (*len == limit - 1) return -1; *pvalue = (buf[*len] & 0x3F) << 8; (*len)++; @@ -192,8 +192,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) (*len)++; return 0; } - if (*len >= limit) - return -1; *pvalue = (buf[*len] & 0x3F) << 14; (*len)++; /* Indicate we have a fragment */ |