From f58db3317c321aecf19277c2b56b48e38248990c Mon Sep 17 00:00:00 2001
From: Scott Griepentrog <sgriepentrog@digium.com>
Date: Mon, 16 Dec 2013 15:33:57 +0000
Subject: [PATCH] app_sms: BufferOverflow when receiving odd length 16 bit
 message

This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........

Merged revisions 403853 from http://svn.asterisk.org/svn/asterisk/branches/1.8


git-svn-id: https://origsvn.digium.com/svn/asterisk/certified/branches/1.8.15@403858 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 apps/app_sms.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/app_sms.c b/apps/app_sms.c
index 77005c61cd..8848db6dad 100644
--- a/apps/app_sms.c
+++ b/apps/app_sms.c
@@ -697,7 +697,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
 	}
 	while (l--) {
 		int v = *i++;
-		if (l--) {
+		if (l && l--) {
 			v = (v << 8) + *i++;
 		}
 		*o++ = v;
@@ -715,6 +715,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
 	} else if (is8bit(dcs)) {
 		unpacksms8(i, l, udh, udhl, ud, udl, udhi);
 	} else {
+		l += l % 2;
 		unpacksms16(i, l, udh, udhl, ud, udl, udhi);
 	}
 	return l + 1;
-- 
2.47.2