From f55f994661d4b4a08b58a0df01b693acc33bfec2 Mon Sep 17 00:00:00 2001 From: Tilghman Lesher Date: Wed, 14 Jan 2009 19:12:33 +0000 Subject: [PATCH] Merged revisions 168604 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r168604 | tilghman | 2009-01-14 13:11:14 -0600 (Wed, 14 Jan 2009) | 14 lines Merged revisions 168603 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue #13600) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ........ ................ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.1@168606 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- main/udptl.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/main/udptl.c b/main/udptl.c index 3b747ec6bd..6c79490b18 100644 --- a/main/udptl.c +++ b/main/udptl.c @@ -176,15 +176,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr) static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) { + if (*len >= limit) + return -1; if ((buf[*len] & 0x80) == 0) { - if (*len >= limit) - return -1; *pvalue = buf[*len]; (*len)++; return 0; } if ((buf[*len] & 0x40) == 0) { - if (*len >= limit - 1) + if (*len == limit - 1) return -1; *pvalue = (buf[*len] & 0x3F) << 8; (*len)++; @@ -192,8 +192,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) (*len)++; return 0; } - if (*len >= limit) - return -1; *pvalue = (buf[*len] & 0x3F) << 14; (*len)++; /* Indicate we have a fragment */