From: Doug Bailey <dbailey@digium.com>
Date: Thu, 10 May 2007 21:25:05 +0000 (+0000)
Subject: Added check for negative offset in cid spill to prevent infinite loops
X-Git-Tag: 1.6.0-beta1~3^2~2710
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bb316de2832b94872ab3b7aa2e90b8430d9dd38;p=thirdparty%2Fasterisk.git

Added check for negative offset in cid spill to prevent infinite loops


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@63786 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/main/callerid.c b/main/callerid.c
index 002666aa93..74b8d9200a 100644
--- a/main/callerid.c
+++ b/main/callerid.c
@@ -636,6 +636,12 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, int
 						default:
 							ast_log(LOG_NOTICE, "Unknown IE %d\n", cid->rawdata[x - 1]);
 						}
+						if(0 > cid->rawdata[x]){	/* Negative offset in the CID Spill */
+							ast_log(LOG_NOTICE, "IE %d has bad field length of %d at offset %d\n", cid->rawdata[x-1], cid->rawdata[x], x);
+							/* Try again */
+							cid->sawflag = 0;
+							break; 	/* Exit the loop */
+						}
 						x += cid->rawdata[x];
 						x++;
 					}