diff options
Diffstat (limited to 'channels')
-rw-r--r-- | channels/chan_skinny.c | 6 | ||||
-rw-r--r-- | channels/pjsip/dialplan_functions.c | 4 |
2 files changed, 7 insertions, 3 deletions
diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c index fb51996ab..a089c65d8 100644 --- a/channels/chan_skinny.c +++ b/channels/chan_skinny.c @@ -2374,6 +2374,7 @@ static char *callstate2str(int ind) static int transmit_response_bysession(struct skinnysession *s, struct skinny_req *req) { int res = 0; + unsigned long len; if (!s) { ast_log(LOG_WARNING, "Asked to transmit to a non-existent session!\n"); @@ -2382,7 +2383,10 @@ static int transmit_response_bysession(struct skinnysession *s, struct skinny_re ast_mutex_lock(&s->lock); - if ((letohl(req->len) > SKINNY_MAX_PACKET) || (letohl(req->len) < 0)) { + /* Don't optimize out assigning letohl() to len. It is necessary to guarantee that the comparison will always catch invalid values. + * letohl() may or may not return a signed value depending upon which definition is used. */ + len = letohl(req->len); + if (SKINNY_MAX_PACKET < len) { ast_log(LOG_WARNING, "transmit_response: the length of the request (%u) is out of bounds (%d)\n", letohl(req->len), SKINNY_MAX_PACKET); ast_mutex_unlock(&s->lock); return -1; diff --git a/channels/pjsip/dialplan_functions.c b/channels/pjsip/dialplan_functions.c index 567cd59ee..9c5245648 100644 --- a/channels/pjsip/dialplan_functions.c +++ b/channels/pjsip/dialplan_functions.c @@ -866,11 +866,11 @@ static int media_offer_read_av(struct ast_sip_session *session, char *buf, /* add one since we'll include a comma */ size = strlen(ast_format_get_name(fmt)) + 1; - len -= size; - if ((len) < 0) { + if (len < size) { ao2_ref(fmt, -1); break; } + len -= size; /* no reason to use strncat here since we have already ensured buf has enough space, so strcat can be safely used */ |