aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormnicholson <mnicholson@f38db490-d61c-443f-a65b-d21fe96a405b>2011-02-21 15:00:22 +0000
committermnicholson <mnicholson@f38db490-d61c-443f-a65b-d21fe96a405b>2011-02-21 15:00:22 +0000
commit55307d9c150e15c3a9e95558f7315ed75ae541b7 (patch)
tree8b2fe801f7fb12e976fb3f1f794c22124ab84b54
parent812d3e9e9d299e4780b928d876520d4d50c23bc4 (diff)
Merged revisions 308413 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r308413 | mnicholson | 2011-02-21 08:57:15 -0600 (Mon, 21 Feb 2011) | 5 lines Properly check the bounds of arrays when decoding UDPTL packets. Also, remove broken support for receiving UDPTL packets larger than 16k. That shouldn't ever happen anyway. AST-2011-002 FAX-281 ........ git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.6.2@308414 f38db490-d61c-443f-a65b-d21fe96a405b
-rw-r--r--main/udptl.c48
1 files changed, 21 insertions, 27 deletions
diff --git a/main/udptl.c b/main/udptl.c
index df462c3c6..429c2334d 100644
--- a/main/udptl.c
+++ b/main/udptl.c
@@ -215,38 +215,29 @@ static int decode_length(uint8_t *buf, unsigned int limit, unsigned int *len, un
}
*pvalue = (buf[*len] & 0x3F) << 14;
(*len)++;
- /* Indicate we have a fragment */
+ /* We have a fragment. Currently we don't process fragments. */
+ ast_debug(1, "UDPTL packet with length greater than 16K received, decoding will fail\n");
return 1;
}
/*- End of function --------------------------------------------------------*/
static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len, const uint8_t **p_object, unsigned int *p_num_octets)
{
- unsigned int octet_cnt;
- unsigned int octet_idx;
- unsigned int i;
- int length; /* a negative length indicates the limit has been reached in decode_length. */
- const uint8_t **pbuf;
+ unsigned int octet_cnt = 0;
- for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {
- octet_cnt = 0;
- if ((length = decode_length(buf, limit, len, &octet_cnt)) < 0)
- return -1;
- if (octet_cnt > 0) {
- *p_num_octets += octet_cnt;
+ if (decode_length(buf, limit, len, &octet_cnt) != 0)
+ return -1;
- pbuf = &p_object[octet_idx];
- i = 0;
- /* Make sure the buffer contains at least the number of bits requested */
- if ((*len + octet_cnt) > limit)
- return -1;
+ if (octet_cnt > 0) {
+ /* Make sure the buffer contains at least the number of bits requested */
+ if ((*len + octet_cnt) > limit)
+ return -1;
- *pbuf = &buf[*len];
- *len += octet_cnt;
- }
- if (length == 0)
- break;
+ *p_num_octets = octet_cnt;
+ *p_object = &buf[*len];
+ *len += octet_cnt;
}
+
return 0;
}
/*- End of function --------------------------------------------------------*/
@@ -333,8 +324,8 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, unsigned int len)
const uint8_t *data;
unsigned int ifp_len;
int repaired[16];
- const uint8_t *bufs[16];
- unsigned int lengths[16];
+ const uint8_t *bufs[ARRAY_LEN(s->f) - 1];
+ unsigned int lengths[ARRAY_LEN(s->f) - 1];
int span;
int entries;
int ifp_no;
@@ -364,13 +355,13 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, unsigned int len)
do {
if ((stat2 = decode_length(buf, len, &ptr, &count)) < 0)
return -1;
- for (i = 0; i < count; i++) {
+ for (i = 0; i < count && total_count + i < ARRAY_LEN(bufs); i++) {
if ((stat1 = decode_open_type(buf, len, &ptr, &bufs[total_count + i], &lengths[total_count + i])) != 0)
return -1;
}
- total_count += count;
+ total_count += i;
}
- while (stat2 > 0);
+ while (stat2 > 0 && total_count < ARRAY_LEN(bufs));
/* Step through in reverse order, so we go oldest to newest */
for (i = total_count; i > 0; i--) {
if (seq_no - i >= s->rx_seq_no) {
@@ -433,6 +424,9 @@ static int udptl_rx_packet(struct ast_udptl *s, uint8_t *buf, unsigned int len)
if (ptr + 1 > len)
return -1;
entries = buf[ptr++];
+ if (entries > MAX_FEC_ENTRIES) {
+ return -1;
+ }
s->rx[x].fec_entries = entries;
/* Decode the elements */