kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-05 12:16:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

app_sms: BufferOverflow when receiving odd length 16 bit message

Browse Source 
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/10-digiumphones@403861 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Scott Griepentrog
2013-12-16 15:39:30 +00:00
parent 33ce9ae08e
commit 8105bf41f5
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/app_sms.c
View File

@@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
} }
while (l--) { while (l--) {
int v = *i++; int v = *i++;
if (l--) { if (l && l--) {
v = (v << 8) + *i++; v = (v << 8) + *i++;
} }
*o++ = v; *o++ = v;
@@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
} else if (is8bit(dcs)) { } else if (is8bit(dcs)) {
unpacksms8(i, l, udh, udhl, ud, udl, udhi); unpacksms8(i, l, udh, udhl, ud, udl, udhi);
} else { } else {
l += l % 2;
unpacksms16(i, l, udh, udhl, ud, udl, udhi); unpacksms16(i, l, udh, udhl, ud, udl, udhi);
} }
return l + 1; return l + 1;