Fix buffer overrun that could have been exploited with a crafted skinny packet design...

author Michael Jerris <mike@jerris.com>

Sat, 26 Apr 2014 19:29:01 +0000 (15:29 -0400)

committer Michael Jerris <mike@jerris.com>

Sat, 26 Apr 2014 19:29:01 +0000 (15:29 -0400)
author Michael Jerris <mike@jerris.com>
Sat, 26 Apr 2014 19:29:01 +0000 (15:29 -0400)
committer Michael Jerris <mike@jerris.com>
Sat, 26 Apr 2014 19:29:01 +0000 (15:29 -0400)
diff --git a/src/mod/endpoints/mod_skinny/skinny_server.c b/src/mod/endpoints/mod_skinny/skinny_server.c

index 8af25fa96ad8917f6e33b706eacac5b6f4ac645f..af73b1978a656274a4a4d714e5f0b6138c5cd73d 100644 (file)
--- a/src/mod/endpoints/mod_skinny/skinny_server.c
+++ b/src/mod/endpoints/mod_skinny/skinny_server.c
@@ -2316,7 +2316,7 @@ switch_status_t skinny_handle_updatecapabilities(listener_t *listener, skinny_me
  
         uint32_t i = 0;
         uint32_t n = 0;
-       char *codec_order[SWITCH_MAX_CODECS];
+       char *codec_order[SKINNY_MAX_CAPABILITIES];
         char *codec_string;
  
         size_t string_len, string_pos, pos;
@@ -2329,8 +2329,8 @@ switch_status_t skinny_handle_updatecapabilities(listener_t *listener, skinny_me
         skinny_check_data_length(request, sizeof(request->data.upd_cap.audio_cap_count));
  
         n = request->data.upd_cap.audio_cap_count;
-       if (n > SWITCH_MAX_CODECS) {
-               n = SWITCH_MAX_CODECS;
+       if (n > SKINNY_MAX_CAPABILITIES) {
+               n = SKINNY_MAX_CAPABILITIES;
         }
         string_len = -1;
author	Michael Jerris <mike@jerris.com>
	Sat, 26 Apr 2014 19:29:01 +0000 (15:29 -0400)
committer	Michael Jerris <mike@jerris.com>
	Sat, 26 Apr 2014 19:29:01 +0000 (15:29 -0400)