Properly check for the length in the skinny packet to prevent an invalid memcpy.

author Russell Bryant <russell@russellbryant.com>

Tue, 17 Jul 2007 20:57:09 +0000 (20:57 +0000)

committer Russell Bryant <russell@russellbryant.com>

Tue, 17 Jul 2007 20:57:09 +0000 (20:57 +0000)
author Russell Bryant <russell@russellbryant.com>
Tue, 17 Jul 2007 20:57:09 +0000 (20:57 +0000)
committer Russell Bryant <russell@russellbryant.com>
Tue, 17 Jul 2007 20:57:09 +0000 (20:57 +0000)
diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c

index 3cfd9d64687daf56d4ae74c882653327325a1a97..c9d3f885487781d60a3e6d81ec2e9d71e3f4c29b 100644 (file)
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -2862,7 +2862,7 @@ static int get_input(struct skinnysession *s)
                         return -1;
                 }
                 dlen = letohl(*(int *)s->inbuf);
-               if (dlen < 0) {
+               if (dlen < 4) {
                         ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
                         return -1;
                 }
author	Russell Bryant <russell@russellbryant.com>
	Tue, 17 Jul 2007 20:57:09 +0000 (20:57 +0000)
committer	Russell Bryant <russell@russellbryant.com>
	Tue, 17 Jul 2007 20:57:09 +0000 (20:57 +0000)