backport the chan_iax2 security fix from 1.2 and trunk ...

ensure that the received number of bytes is included in all IAX2 incoming 
frame analysis checks (fixes a known vulnerability)


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.0@32428 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_iax2.c

@@ -5052,11 +5052,11 @@ static int socket_read(int *id, int fd, short events, void *cbdata)
 		ast_log(LOG_WARNING, "midget packet received (%d of %d min)\n", res, (int)sizeof(struct ast_iax2_mini_hdr));
 		return 1;
 	}
-	if ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000)) {
+	if ((res >= sizeof(*vh)) && ((vh->zeros == 0) && (ntohs(vh->callno) & 0x8000))) {
 		/* This is a video frame, get call number */
 		fr.callno = find_callno(ntohs(vh->callno) & ~0x8000, dcallno, &sin, new, 1);
 		minivid = 1;
-	} else if (meta->zeros == 0) {
+	} else if ((res >= sizeof(*meta)) && (meta->zeros == 0) && !(ntohs(meta->metacmd) & 0x8000)) {
 		/* This is a meta header */
 		switch(meta->metacmd) {
 		case IAX_META_TRUNK:
@@ -5149,11 +5149,19 @@ static int socket_read(int *id, int fd, short events, void *cbdata)
 		}
 		return 1;
 	}
+	/* if we got here and ->zeros contains zeros, this cannot be a valid
+	   miniframe or full frame but it wasn't a valid video frame or meta
+	   frame either, so we reject it
+	*/
+	if (vh->zeros == 0) {
+		ast_log(LOG_WARNING, "Rejecting packet from '%s.%d' that is flagged as a video or meta frame but is not properly formatted\n", ast_inet_ntoa(iabuf, sizeof(iabuf), sin.sin_addr), ntohs(sin.sin_port));
+		return 1;
+	}
 #ifdef DEBUG_SUPPORT
 	if (iaxdebug)
 		iax_showframe(NULL, fh, 1, &sin, res - sizeof(struct ast_iax2_full_hdr));
 #endif
-	if (ntohs(mh->callno) & IAX_FLAG_FULL) {
+	if ((res >= sizeof(*fh)) && ntohs(mh->callno) & IAX_FLAG_FULL) {
 		/* Get the destination call number */
 		dcallno = ntohs(fh->dcallno) & ~IAX_FLAG_RETRANS;
 		/* Retrieve the type and subclass */