]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
projects / thirdparty / asterisk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1e49af0)
app_sms: BufferOverflow when receiving odd length 16 bit message
authorScott Griepentrog <sgriepentrog@digium.com>
Mon, 16 Dec 2013 15:20:50 +0000 (15:20 +0000)
committerScott Griepentrog <sgriepentrog@digium.com>
Mon, 16 Dec 2013 15:20:50 +0000 (15:20 +0000)
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........

Merged revisions 403853 from http://svn.asterisk.org/svn/asterisk/branches/1.8

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10@403854 65c4cc65-6c06-0410-ace0-fbb531ad65f3

apps/app_sms.c patch | blob | blame | history

diff --git a/apps/app_sms.c b/apps/app_sms.c
index 36c777513170af0920fa409ecd0063463956d136..55ce2dee34935705501340530601d56a032c96a8 100644 (file)
--- a/apps/app_sms.c
+++ b/apps/app_sms.c
@@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
        }
        while (l--) {
                int v = *i++;
-               if (l--) {
+               if (l && l--) {
                        v = (v << 8) + *i++;
                }
                *o++ = v;
@@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
        } else if (is8bit(dcs)) {
                unpacksms8(i, l, udh, udhl, ud, udl, udhi);
        } else {
+               l += l % 2;
                unpacksms16(i, l, udh, udhl, ud, udl, udhi);
        }
        return l + 1;
Mirror of https://github.com/asterisk/asterisk.git