Merged revisions 264400 via svnmerge from

https://origsvn.digium.com/svn/asterisk/trunk

........
  r264400 | dvossel | 2010-05-19 15:30:33 -0500 (Wed, 19 May 2010) | 11 lines

  fixes infinite loop during udptl.c's decode_open_type

  When decode_length returns the length there is a check to see if that
  length is negative, if so the decode loop breaks as this means the
  limit has been reached.  The problem here is that length is an
  unsigned int, so length can never be negative.  This resulted in
  an infinite loop.

  (issue #17352)
........

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@264405 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/udptl.c b/main/udptl.c
index b8fde1cc24c372ed29b889d505edd12ae24e036a..d120c27fbf871a0a8ba7fc8bd1f42eb0b6baa56d 100644 (file)
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -226,8 +226,8 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
 {
        unsigned int octet_cnt;
        unsigned int octet_idx;
-       unsigned int length;
        unsigned int i;
+       int length; /* a negative length indicates the limit has been reached in decode_length. */
        const uint8_t **pbuf;
 
        for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {