[asterisk-commits] sgriepentrog: branch 10 r403854 - in /branches/10: ./ apps/app_sms.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Mon Dec 16 09:20:52 CST 2013
Author: sgriepentrog
Date: Mon Dec 16 09:20:50 2013
New Revision: 403854
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=403854
Log:
app_sms: BufferOverflow when receiving odd length 16 bit message
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.
(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........
Merged revisions 403853 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Modified:
branches/10/ (props changed)
branches/10/apps/app_sms.c
Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Modified: branches/10/apps/app_sms.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/apps/app_sms.c?view=diff&rev=403854&r1=403853&r2=403854
==============================================================================
--- branches/10/apps/app_sms.c (original)
+++ branches/10/apps/app_sms.c Mon Dec 16 09:20:50 2013
@@ -696,7 +696,7 @@
}
while (l--) {
int v = *i++;
- if (l--) {
+ if (l && l--) {
v = (v << 8) + *i++;
}
*o++ = v;
@@ -714,6 +714,7 @@
} else if (is8bit(dcs)) {
unpacksms8(i, l, udh, udhl, ud, udl, udhi);
} else {
+ l += l % 2;
unpacksms16(i, l, udh, udhl, ud, udl, udhi);
}
return l + 1;
More information about the asterisk-commits
mailing list