From: Jason Parker <jparker@digium.com>
Date: Tue, 7 Aug 2007 18:25:15 +0000 (+0000)
Subject: Properly check the capabilities count to avoid a segfault.
X-Git-Tag: 1.4.10~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1b58e7a828a07ab3834e4ddd9bd17ed41d0bd91e;p=thirdparty%2Fasterisk.git

Properly check the capabilities count to avoid a segfault.
(ASA-2007-019)


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@78375 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
index 2bde2e2d83..3bbc1bae28 100644
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -202,9 +202,11 @@ struct station_capabilities {
 	} payloads;
 };
 
+#define SKINNY_MAX_CAPABILITIES 18
+
 struct capabilities_res_message {
 	uint32_t count;
-	struct station_capabilities caps[18];
+	struct station_capabilities caps[SKINNY_MAX_CAPABILITIES];
 };
 
 #define SPEED_DIAL_STAT_REQ_MESSAGE 0x000A
@@ -3459,11 +3461,15 @@ static int handle_capabilities_res_message(struct skinny_req *req, struct skinny
 {
 	struct skinny_device *d = s->device;
 	struct skinny_line *l;
-	int count = 0;
+	uint32_t count = 0;
 	int codecs = 0;
 	int i;
 
 	count = letohl(req->data.caps.count);
+	if (count > SKINNY_MAX_CAPABILITIES) {
+		count = SKINNY_MAX_CAPABILITIES;
+		ast_log(LOG_WARNING, "Received more capabilities than we can handle (%d).  Ignoring the rest.\n", SKINNY_MAX_CAPABILITIES);
+	}
 
 	for (i = 0; i < count; i++) {
 		int acodec = 0;