chan_iax2: Add another check to abort frame handling if datalen < 0.

Commit 2da221e217cbff957af928e8df43ee25583232d1 added a missing abort
if datalen < 0 check on a code path and an assertion inside
iax_frame_wrap if we ever encountered a frame with a negative frame
length (which will eventually cause a crash).

Add another missing abort check for negative datalen, exposed by this
assertion. (Similar to the previous commit, this is a video frame with
a datalen of -1).

Resolves: #1865

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index c9aab2d20e8d80aa64657650310f5e25c2632d42..fabab6cb79006978ca56bd217490e0b7958574e9 100644 (file)
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -12157,6 +12157,13 @@ immediatedial:
        } else
                f.samples = 0;
 
        } else
                f.samples = 0;
 

+       if (f.datalen < 0) {
+               ast_log(LOG_ERROR, "Dropping malformed frame (datalen %d?)\n", f.datalen);
+               ast_variables_destroy(ies.vars);
+               ast_mutex_unlock(&iaxsl[fr->callno]);
+               return 1;
+       }
+

        iax_frame_wrap(fr, &f);
 
        /* If this is our most recent packet, use it as our basis for timestamping */
        iax_frame_wrap(fr, &f);
 
        /* If this is our most recent packet, use it as our basis for timestamping */