app_sms: BufferOverflow when receiving odd length 16 bit message

This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........

Merged revisions 403853 from http://svn.asterisk.org/svn/asterisk/branches/1.8

git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/branches/1.8.15@403858 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/apps/app_sms.c b/apps/app_sms.c
index 77005c61cd6449d9e53f0973e7ade4502689cec5..8848db6dad6303550ea67fff20abe24743fe44af 100644 (file)
--- a/apps/app_sms.c
+++ b/apps/app_sms.c
@@ -697,7 +697,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
        }
        while (l--) {
                int v = *i++;
-               if (l--) {
+               if (l && l--) {
                        v = (v << 8) + *i++;
                }
                *o++ = v;
@@ -715,6 +715,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
        } else if (is8bit(dcs)) {
                unpacksms8(i, l, udh, udhl, ud, udl, udhi);
        } else {
+               l += l % 2;
                unpacksms16(i, l, udh, udhl, ud, udl, udhi);
        }
        return l + 1;