diff options
author | Scott Griepentrog <sgriepentrog@digium.com> | 2013-12-16 15:30:18 +0000 |
---|---|---|
committer | Scott Griepentrog <sgriepentrog@digium.com> | 2013-12-16 15:30:18 +0000 |
commit | 3322180d4b452e11545b70abc9b2d5af3d241361 (patch) | |
tree | 21a99dcb324b62c93fa2a04f483c0ee3adb6fb55 /apps/app_sms.c | |
parent | 4ddf45fd244f8d79a8cb8da600ec2f77dacd09d8 (diff) |
app_sms: BufferOverflow when receiving odd length 16 bit message
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.
(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........
Merged revisions 403856 from http://svn.asterisk.org/svn/asterisk/branches/12
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403857 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'apps/app_sms.c')
-rw-r--r-- | apps/app_sms.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/apps/app_sms.c b/apps/app_sms.c index 36e7dd660..f693a209e 100644 --- a/apps/app_sms.c +++ b/apps/app_sms.c @@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i } while (l--) { int v = *i++; - if (l--) { + if (l && l--) { v = (v << 8) + *i++; } *o++ = v; @@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in } else if (is8bit(dcs)) { unpacksms8(i, l, udh, udhl, ud, udl, udhi); } else { + l += l % 2; unpacksms16(i, l, udh, udhl, ud, udl, udhi); } return l + 1; |