From: Tilghman Lesher <tilghman@meg.abyt.es>
Date: Wed, 14 Jan 2009 19:02:55 +0000 (+0000)
Subject: Don't read into a buffer without first checking if a value is beyond the end.
X-Git-Tag: 1.4.23-testing~2^2~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=99313c7b926f1fab0a438c3946626e8b1113b666;p=thirdparty%2Fasterisk.git

Don't read into a buffer without first checking if a value is beyond the end.
(closes issue #13600)
 Reported by: atis
 Patches:
       20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
 Tested by: atis


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@168603 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/main/udptl.c b/main/udptl.c
index a9386ac099..679282731c 100644
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -156,15 +156,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr)
 
 static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
 {
+	if (*len >= limit)
+		return -1;
 	if ((buf[*len] & 0x80) == 0) {
-		if (*len >= limit)
-			return -1;
 		*pvalue = buf[*len];
 		(*len)++;
 		return 0;
 	}
 	if ((buf[*len] & 0x40) == 0) {
-		if (*len >= limit - 1)
+		if (*len == limit - 1)
 			return -1;
 		*pvalue = (buf[*len] & 0x3F) << 8;
 		(*len)++;
@@ -172,8 +172,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
 		(*len)++;
 		return 0;
 	}
-	if (*len >= limit)
-		return -1;
 	*pvalue = (buf[*len] & 0x3F) << 14;
 	(*len)++;
 	/* Indicate we have a fragment */