app_sms: BufferOverflow when receiving odd length 16 bit message

This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........

Merged revisions 403853 from http://svn.asterisk.org/svn/asterisk/branches/1.8


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@403854 65c4cc65-6c06-0410-ace0-fbb531ad65f3
10
Scott Griepentrog 12 years ago
parent 1e49af0373
commit 4865825a48

@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
}
while (l--) {
int v = *i++;
if (l--) {
if (l && l--) {
v = (v << 8) + *i++;
}
*o++ = v;
@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
} else if (is8bit(dcs)) {
unpacksms8(i, l, udh, udhl, ud, udl, udhi);
} else {
l += l % 2;
unpacksms16(i, l, udh, udhl, ud, udl, udhi);
}
return l + 1;

Loading…
Cancel
Save