From d7828ba9099ca71b941cdbf3bcc18b0b7e75392a Mon Sep 17 00:00:00 2001
From: David Vossel <dvossel@digium.com>
Date: Wed, 19 May 2010 20:31:35 +0000
Subject: [PATCH] Merged revisions 264400 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/trunk

........
  r264400 | dvossel | 2010-05-19 15:30:33 -0500 (Wed, 19 May 2010) | 11 lines

  fixes infinite loop during udptl.c's decode_open_type

  When decode_length returns the length there is a check to see if that
  length is negative, if so the decode loop breaks as this means the
  limit has been reached.  The problem here is that length is an
  unsigned int, so length can never be negative.  This resulted in
  an infinite loop.

  (issue #17352)
........


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.6.2@264405 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/udptl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/udptl.c b/main/udptl.c
index b8fde1cc24..d120c27fbf 100644
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -226,8 +226,8 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
 {
 	unsigned int octet_cnt;
 	unsigned int octet_idx;
-	unsigned int length;
 	unsigned int i;
+	int length; /* a negative length indicates the limit has been reached in decode_length. */
 	const uint8_t **pbuf;
 
 	for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {
-- 
2.47.2