Asterisk
/
asterisk
mirror of https://github.com/asterisk/asterisk
1
0
Fork 0
Code Issues Releases Wiki Activity

app_sms: BufferOverflow when receiving odd length 16 bit message

Browse Source 
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10-digiumphones@403861 65c4cc65-6c06-0410-ace0-fbb531ad65f3
10-digiumphones
Scott Griepentrog 12 years ago
parent 33ce9ae08e
commit 8105bf41f5
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File

3
apps/app_sms.c
Unescape View File

@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
}
while (l--) {
int v = *i++;
if (l--) {
if (l && l--) {
v = (v << 8) + *i++;
}
*o++ = v;
@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
} else if (is8bit(dcs)) {
unpacksms8(i, l, udh, udhl, ud, udl, udhi);
} else {
l += l % 2;
unpacksms16(i, l, udh, udhl, ud, udl, udhi);
}
return l + 1;

Write Preview
Loading…
Cancel
Save