From: Tilghman Lesher Date: Wed, 14 Jan 2009 19:11:14 +0000 (+0000) Subject: Merged revisions 168603 via svnmerge from X-Git-Tag: 1.6.2.0-beta1~450 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72fc03b6c64b180f51b3d85b92b384e4ce4b4b04;p=thirdparty%2Fasterisk.git Merged revisions 168603 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue #13600) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@168604 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/main/udptl.c b/main/udptl.c index 52f7c99f2d..9c64d06d4b 100644 --- a/main/udptl.c +++ b/main/udptl.c @@ -176,15 +176,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr) static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) { + if (*len >= limit) + return -1; if ((buf[*len] & 0x80) == 0) { - if (*len >= limit) - return -1; *pvalue = buf[*len]; (*len)++; return 0; } if ((buf[*len] & 0x40) == 0) { - if (*len >= limit - 1) + if (*len == limit - 1) return -1; *pvalue = (buf[*len] & 0x3F) << 8; (*len)++; @@ -192,8 +192,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue) (*len)++; return 0; } - if (*len >= limit) - return -1; *pvalue = (buf[*len] & 0x3F) << 14; (*len)++; /* Indicate we have a fragment */