From: Mike Bradeen Date: Mon, 6 Jun 2022 23:11:30 +0000 (-0600) Subject: ooh323c: not checking for IE minimum length X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=42d3552d2ac0efbb68c9ec7ade898b6de0bfa033;p=thirdparty%2Fasterisk.git ooh323c: not checking for IE minimum length When decoding q.931 encoded calling/called number now checking for length being less than minimum required. Resolves: #GHSA-h5hv-jmgj-92q2 --- diff --git a/addons/ooh323c/src/ooq931.c b/addons/ooh323c/src/ooq931.c index bdcbae2993..b0a4ef3aea 100644 --- a/addons/ooh323c/src/ooq931.c +++ b/addons/ooh323c/src/ooq931.c @@ -226,11 +226,13 @@ EXTERN int ooQ931Decode screening indicators ;-) */ if(ie->discriminator == Q931CallingPartyNumberIE) { + int numoffset=1; OOTRACEDBGB1(" CallingPartyNumber IE = {\n"); - if(ie->length < OO_MAX_NUMBER_LENGTH) + if(!(0x80 & ie->data[0])) numoffset = 2; + + if( (ie->length >= numoffset) && + (ie->length < OO_MAX_NUMBER_LENGTH) ) { - int numoffset=1; - if(!(0x80 & ie->data[0])) numoffset = 2; memcpy(number, ie->data+numoffset,ie->length-numoffset); number[ie->length-numoffset]='\0'; OOTRACEDBGB2(" %s\n", number); @@ -238,7 +240,7 @@ EXTERN int ooQ931Decode ooCallSetCallingPartyNumber(call, number); } else{ - OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n", + OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n", call->callType, call->callToken); } OOTRACEDBGB1(" }\n"); @@ -248,7 +250,8 @@ EXTERN int ooQ931Decode if(ie->discriminator == Q931CalledPartyNumberIE) { OOTRACEDBGB1(" CalledPartyNumber IE = {\n"); - if(ie->length < OO_MAX_NUMBER_LENGTH) + if( (ie->length >= 1) && + (ie->length < OO_MAX_NUMBER_LENGTH) ) { memcpy(number, ie->data+1,ie->length-1); number[ie->length-1]='\0'; @@ -257,7 +260,7 @@ EXTERN int ooQ931Decode ooCallSetCalledPartyNumber(call, number); } else{ - OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n", + OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n", call->callType, call->callToken); } OOTRACEDBGB1(" }\n");