app_sms: BufferOverflow when receiving odd length 16 bit message
This patch prevents an infinite loop overwriting memory when a message is received into the unpacksms16() function, where the length of the message is an odd number of bytes. (closes issue ASTERISK-22590) Reported by: Jan Juergens Tested by: Jan Juergens ........ Merged revisions 403856 from http://svn.asterisk.org/svn/asterisk/branches/12 git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@403857 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
parent
4ddf45fd24
commit
3322180d4b
|
@ -696,7 +696,7 @@ static void unpacksms16(unsigned char *i, unsigned char l, unsigned char *udh, i
|
|||
}
|
||||
while (l--) {
|
||||
int v = *i++;
|
||||
if (l--) {
|
||||
if (l && l--) {
|
||||
v = (v << 8) + *i++;
|
||||
}
|
||||
*o++ = v;
|
||||
|
@ -714,6 +714,7 @@ static int unpacksms(unsigned char dcs, unsigned char *i, unsigned char *udh, in
|
|||
} else if (is8bit(dcs)) {
|
||||
unpacksms8(i, l, udh, udhl, ud, udl, udhi);
|
||||
} else {
|
||||
l += l % 2;
|
||||
unpacksms16(i, l, udh, udhl, ud, udl, udhi);
|
||||
}
|
||||
return l + 1;
|
||||
|
|
Loading…
Reference in New Issue