[asterisk-commits] sgriepentrog: branch certified-1.8.15 r403858 - in /certified/branches/1.8.15...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Mon Dec 16 09:33:59 CST 2013
Author: sgriepentrog
Date: Mon Dec 16 09:33:57 2013
New Revision: 403858
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=403858
Log:
app_sms: BufferOverflow when receiving odd length 16 bit message
This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.
(closes issue ASTERISK-22590)
Reported by: Jan Juergens
Tested by: Jan Juergens
........
Merged revisions 403853 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Modified:
certified/branches/1.8.15/ (props changed)
certified/branches/1.8.15/apps/app_sms.c
Propchange: certified/branches/1.8.15/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Modified: certified/branches/1.8.15/apps/app_sms.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.15/apps/app_sms.c?view=diff&rev=403858&r1=403857&r2=403858
==============================================================================
--- certified/branches/1.8.15/apps/app_sms.c (original)
+++ certified/branches/1.8.15/apps/app_sms.c Mon Dec 16 09:33:57 2013
@@ -697,7 +697,7 @@
}
while (l--) {
int v = *i++;
- if (l--) {
+ if (l && l--) {
v = (v << 8) + *i++;
}
*o++ = v;
@@ -715,6 +715,7 @@
} else if (is8bit(dcs)) {
unpacksms8(i, l, udh, udhl, ud, udl, udhi);
} else {
+ l += l % 2;
unpacksms16(i, l, udh, udhl, ud, udl, udhi);
}
return l + 1;
More information about the asterisk-commits
mailing list