Add test for negative offsets in cid data to prevent infinite loops.

author Doug Bailey <dbailey@digium.com>

Thu, 10 May 2007 20:48:54 +0000 (20:48 +0000)

committer Doug Bailey <dbailey@digium.com>

Thu, 10 May 2007 20:48:54 +0000 (20:48 +0000)
author Doug Bailey <dbailey@digium.com>
Thu, 10 May 2007 20:48:54 +0000 (20:48 +0000)
committer Doug Bailey <dbailey@digium.com>
Thu, 10 May 2007 20:48:54 +0000 (20:48 +0000)
diff --git a/main/callerid.c b/main/callerid.c

index 9f42ccf1fdc599f48b75c88dee4875a81b5ed5bd..901137348f643861b585beff3ba4013e987485e6 100644 (file)
--- a/main/callerid.c
+++ b/main/callerid.c
@@ -660,6 +660,12 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, int
                                                 default:
                                                         ast_log(LOG_NOTICE, "Unknown IE %d\n", cid->rawdata[x-1]);
                                                 }
+                                               if(0 > cid->rawdata[x]){        /* Negative offset in the CID Spill */
+                                                       ast_log(LOG_NOTICE, "IE %d has bad field length of %d at offset %d\n", cid->rawdata[x-1], cid->rawdata[x], x);
+                                                       /* Try again */
+                                                       cid->sawflag = 0;
+                                                       break;  /* Exit the loop */
+                                               }
                                                 x += cid->rawdata[x];
                                                 x++;
                                         }
author	Doug Bailey <dbailey@digium.com>
	Thu, 10 May 2007 20:48:54 +0000 (20:48 +0000)
committer	Doug Bailey <dbailey@digium.com>
	Thu, 10 May 2007 20:48:54 +0000 (20:48 +0000)