[Asterisk-code-review] ooh323c: not checking for IE minimum length (asterisk[18.15])
Benjamin Keith Ford
asteriskteam at digium.com
Thu Dec 1 11:39:47 CST 2022
Benjamin Keith Ford has uploaded this change for review. ( https://gerrit.asterisk.org/c/asterisk/+/19625 )
Change subject: ooh323c: not checking for IE minimum length
......................................................................
ooh323c: not checking for IE minimum length
When decoding q.931 encoded calling/called number
now checking for length being less than minimum required.
ASTERISK-30103
Change-Id: I3dcfce0f35eca258dc450f87c92d4d7af402c2e7
---
M addons/ooh323c/src/ooq931.c
1 file changed, 23 insertions(+), 6 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/25/19625/1
diff --git a/addons/ooh323c/src/ooq931.c b/addons/ooh323c/src/ooq931.c
index fe8b06e..b7bcba8 100644
--- a/addons/ooh323c/src/ooq931.c
+++ b/addons/ooh323c/src/ooq931.c
@@ -192,11 +192,13 @@
screening indicators ;-) */
if(ie->discriminator == Q931CallingPartyNumberIE)
{
+ int numoffset=1;
OOTRACEDBGB1(" CallingPartyNumber IE = {\n");
- if(ie->length < OO_MAX_NUMBER_LENGTH)
+ if(!(0x80 & ie->data[0])) numoffset = 2;
+
+ if( (ie->length >= numoffset) &&
+ (ie->length < OO_MAX_NUMBER_LENGTH) )
{
- int numoffset=1;
- if(!(0x80 & ie->data[0])) numoffset = 2;
memcpy(number, ie->data+numoffset,ie->length-numoffset);
number[ie->length-numoffset]='\0';
OOTRACEDBGB2(" %s\n", number);
@@ -204,7 +206,7 @@
ooCallSetCallingPartyNumber(call, number);
}
else{
- OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+ OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
call->callType, call->callToken);
}
OOTRACEDBGB1(" }\n");
@@ -214,7 +216,8 @@
if(ie->discriminator == Q931CalledPartyNumberIE)
{
OOTRACEDBGB1(" CalledPartyNumber IE = {\n");
- if(ie->length < OO_MAX_NUMBER_LENGTH)
+ if( (ie->length >= 1) &&
+ (ie->length < OO_MAX_NUMBER_LENGTH) )
{
memcpy(number, ie->data+1,ie->length-1);
number[ie->length-1]='\0';
@@ -223,7 +226,7 @@
ooCallSetCalledPartyNumber(call, number);
}
else{
- OOTRACEERR3("Error:Calling party number too long. (%s, %s)\n",
+ OOTRACEERR3("Error:Calling party number outside range. (%s, %s)\n",
call->callType, call->callToken);
}
OOTRACEDBGB1(" }\n");
--
To view, visit https://gerrit.asterisk.org/c/asterisk/+/19625
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 18.15
Gerrit-Change-Id: I3dcfce0f35eca258dc450f87c92d4d7af402c2e7
Gerrit-Change-Number: 19625
Gerrit-PatchSet: 1
Gerrit-Owner: Benjamin Keith Ford <bford at digium.com>
Gerrit-CC: Michael Bradeen <mbradeen at sangoma.com>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20221201/63e831b5/attachment-0001.html>
More information about the asterisk-code-review
mailing list