diff options
author | Doug Bailey <dbailey@digium.com> | 2007-05-10 21:25:05 +0000 |
---|---|---|
committer | Doug Bailey <dbailey@digium.com> | 2007-05-10 21:25:05 +0000 |
commit | 0bb316de2832b94872ab3b7aa2e90b8430d9dd38 (patch) | |
tree | 969d84c5a81c2a506f41d695f709633316631e80 /main/callerid.c | |
parent | aa320037d2328fa92b0df2c9ef9feec4219060fc (diff) |
Added check for negative offset in cid spill to prevent infinite loops
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@63786 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'main/callerid.c')
-rw-r--r-- | main/callerid.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/main/callerid.c b/main/callerid.c index 002666aa9..74b8d9200 100644 --- a/main/callerid.c +++ b/main/callerid.c @@ -636,6 +636,12 @@ int callerid_feed(struct callerid_state *cid, unsigned char *ubuf, int len, int default: ast_log(LOG_NOTICE, "Unknown IE %d\n", cid->rawdata[x - 1]); } + if(0 > cid->rawdata[x]){ /* Negative offset in the CID Spill */ + ast_log(LOG_NOTICE, "IE %d has bad field length of %d at offset %d\n", cid->rawdata[x-1], cid->rawdata[x], x); + /* Try again */ + cid->sawflag = 0; + break; /* Exit the loop */ + } x += cid->rawdata[x]; x++; } |