Don't read into a buffer without first checking if a value is beyond the end.

(closes issue #13600)
 Reported by: atis
 Patches:
       20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
 Tested by: atis

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@168603 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/udptl.c b/main/udptl.c
index a9386ac099bb734c38f4f74be761ea4ad244ac80..679282731cf130959a106e128367b17bc79b45b6 100644 (file)
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -156,15 +156,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr)
 
 static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
 {
+       if (*len >= limit)
+               return -1;
        if ((buf[*len] & 0x80) == 0) {
-               if (*len >= limit)
-                       return -1;
                *pvalue = buf[*len];
                (*len)++;
                return 0;
        }
        if ((buf[*len] & 0x40) == 0) {
-               if (*len >= limit - 1)
+               if (*len == limit - 1)
                        return -1;
                *pvalue = (buf[*len] & 0x3F) << 8;
                (*len)++;
@@ -172,8 +172,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
                (*len)++;
                return 0;
        }
-       if (*len >= limit)
-               return -1;
        *pvalue = (buf[*len] & 0x3F) << 14;
        (*len)++;
        /* Indicate we have a fragment */