Merged revisions 168603 via svnmerge from

https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r168603 | tilghman | 2009-01-14 13:02:55 -0600 (Wed, 14 Jan 2009) | 7 lines Don't read into a buffer without first checking if a value is beyond the end. (closes issue #13600) Reported by: atis Patches: 20090106__bug13600.diff.txt uploaded by Corydon76 (license 14) Tested by: atis ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@168604 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-10-31 10:47:18 +00:00 · 2009-01-14 19:11:14 +00:00
parent 9c10ccd9fd
commit 72fc03b6c6
1 changed files with 3 additions and 5 deletions
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -176,15 +176,15 @@ static inline int udptl_debug_test_addr(struct sockaddr_in *addr)

 static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
 {
-	if ((buf[*len] & 0x80) == 0) {
 	if (*len >= limit)
 		return -1;
+	if ((buf[*len] & 0x80) == 0) {
 		*pvalue = buf[*len];
 		(*len)++;
 		return 0;
 	}
 	if ((buf[*len] & 0x40) == 0) {
-		if (*len >= limit - 1)
+		if (*len == limit - 1)
 			return -1;
 		*pvalue = (buf[*len] & 0x3F) << 8;
 		(*len)++;
@@ -192,8 +192,6 @@ static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
 		(*len)++;
 		return 0;
 	}
-	if (*len >= limit)
-		return -1;
 	*pvalue = (buf[*len] & 0x3F) << 14;
 	(*len)++;
 	/* Indicate we have a fragment */