Fix a potential integer signedness problem.

Also fix some locking issues I found at the same time.

Issue 7770, original patch by alamantia

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@40757 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
index 4d31969dc3f9f58aa0835de14f65680985af6857..acd6ad951a80a940fae15b33caa9c28dc81d1472 100644 (file)
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -3927,12 +3927,19 @@ static int get_input(struct skinnysession *s)
                res = read(s->fd, s->inbuf, 4);
                if (res < 0) {
                        ast_log(LOG_WARNING, "read() returned error: %s\n", strerror(errno));
+                       ast_mutex_unlock(&s->lock);
                        return res;
                } else if (res != 4) {
                        ast_log(LOG_WARNING, "Skinny Client sent less data than expected.  Expected 4 but got %d.\n", res);
+                       ast_mutex_unlock(&s->lock);
                        return -1;
                }
                dlen = letohl(*(int *)s->inbuf);
+               if (dlen < 0) {
+                       ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
+                       ast_mutex_unlock(&s->lock);
+                       return -1;
+               }
                if (dlen+8 > sizeof(s->inbuf)) {
                        dlen = sizeof(s->inbuf) - 8;
                }