[asterisk-commits] dvossel: branch 1.6.2 r264405 - in /branches/1.6.2: ./ main/udptl.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed May 19 15:31:40 CDT 2010
Author: dvossel
Date: Wed May 19 15:31:35 2010
New Revision: 264405
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=264405
Log:
Merged revisions 264400 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
........
r264400 | dvossel | 2010-05-19 15:30:33 -0500 (Wed, 19 May 2010) | 11 lines
fixes infinite loop during udptl.c's decode_open_type
When decode_length returns the length there is a check to see if that
length is negative, if so the decode loop breaks as this means the
limit has been reached. The problem here is that length is an
unsigned int, so length can never be negative. This resulted in
an infinite loop.
(issue #17352)
........
Modified:
branches/1.6.2/ (props changed)
branches/1.6.2/main/udptl.c
Propchange: branches/1.6.2/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.
Modified: branches/1.6.2/main/udptl.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.6.2/main/udptl.c?view=diff&rev=264405&r1=264404&r2=264405
==============================================================================
--- branches/1.6.2/main/udptl.c (original)
+++ branches/1.6.2/main/udptl.c Wed May 19 15:31:35 2010
@@ -226,8 +226,8 @@
{
unsigned int octet_cnt;
unsigned int octet_idx;
- unsigned int length;
unsigned int i;
+ int length; /* a negative length indicates the limit has been reached in decode_length. */
const uint8_t **pbuf;
for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {
More information about the asterisk-commits
mailing list