]> git.ipfire.org Git - thirdparty/asterisk.git/commitdiff
projects / thirdparty / asterisk.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d85d31c)
app_sms: BufferOverflow when receiving odd length 16 bit message
authorScott Griepentrog <sgriepentrog@digium.com>
Mon, 16 Dec 2013 15:38:11 +0000 (15:38 +0000)
committerScott Griepentrog <sgriepentrog@digium.com>
Mon, 16 Dec 2013 15:38:11 +0000 (15:38 +0000)
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens

git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/branches/11.2@403859 65c4cc65-6c06-0410-ace0-fbb531ad65f3

apps/app_sms.c patch | blob | blame | history

diff --git a/apps/app_sms.c b/apps/app_sms.c
index f4b9ff3c9099d80dc289c34616e02a55e12640ad..da601629aefaf15becc37ab3500f980573a5e356 100644 (file)
--- a/apps/app_sms.c
+++ b/apps/app_sms.c
@@ -697,7 +697,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
        }
        while (l--) {
                int v = *i++;
-               if (l--) {
+               if (l && l--) {
                        v = (v << 8) + *i++;
                }
                *o++ = v;
@@ -715,6 +715,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
        } else if (is8bit(dcs)) {
                unpacksms8(i, l, udh, udhl, ud, udl, udhi);
        } else {
+               l += l % 2;
                unpacksms16(i, l, udh, udhl, ud, udl, udhi);
        }
        return l + 1;
Mirror of https://github.com/asterisk/asterisk.git