From f7581a0530fcf5d3e614188e4c34ec57444913fc Mon Sep 17 00:00:00 2001
From: qwell <qwell@f38db490-d61c-443f-a65b-d21fe96a405b>
Date: Fri, 22 Dec 2006 20:43:05 +0000
Subject: Fix for issue 7774 - patch by alamantia

git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.4@48870 f38db490-d61c-443f-a65b-d21fe96a405b
---
 channels/chan_skinny.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'channels/chan_skinny.c')

diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
index 5a5deb1a3..1de7481c9 100644
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -1392,14 +1392,17 @@ static int transmit_response(struct skinnysession *s, struct skinny_req *req)
 	int res = 0;
 	ast_mutex_lock(&s->lock);
 
-#if 0
 	if (skinnydebug)
-		ast_verbose("writing packet type %04X (%d bytes) to socket %d\n", letohl(req->e), letohl(req->len)+8, s->fd);
-#endif
+		ast_log(LOG_VERBOSE, "writing packet type %04X (%d bytes) to socket %d\n", letohl(req->e), letohl(req->len)+8, s->fd);
+
+	if (letohl(req->len > SKINNY_MAX_PACKET) || letohl(req->len < 0) {
+		ast_log(LOG_WARNING, "transmit_response: the length of the request is out of bounds\n");
+		return -1;
+	}
 
 	memset(s->outbuf,0,sizeof(s->outbuf));
 	memcpy(s->outbuf, req, skinny_header_size);
-	memcpy(s->outbuf+skinny_header_size, &req->data, sizeof(union skinny_data));
+	memcpy(s->outbuf+skinny_header_size, &req->data, letohl(req->len));
 
 	res = write(s->fd, s->outbuf, letohl(req->len)+8);
 
-- 
cgit v1.2.3