Merged revisions 75450 via svnmerge from
authorRussell Bryant <russell@russellbryant.com>
Tue, 17 Jul 2007 20:58:40 +0000 (20:58 +0000)
committerRussell Bryant <russell@russellbryant.com>
Tue, 17 Jul 2007 20:58:40 +0000 (20:58 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.4

................
r75450 | russell | 2007-07-17 15:57:56 -0500 (Tue, 17 Jul 2007) | 11 lines

Merged revisions 75449 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.2

........
r75449 | russell | 2007-07-17 15:57:09 -0500 (Tue, 17 Jul 2007) | 3 lines

Properly check for the length in the skinny packet to prevent an invalid memcpy.
(ASA-2007-016)

........

................

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@75451 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_skinny.c

index 9a122cc..f55002d 100644 (file)
@@ -4587,7 +4587,7 @@ static int get_input(struct skinnysession *s)
                }
                
                dlen = letohl(*(int *)s->inbuf);
                }
                
                dlen = letohl(*(int *)s->inbuf);
-               if (dlen < 0) {
+               if (dlen < 4) {
                        ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
                        ast_mutex_unlock(&s->lock);
                        return -1;
                        ast_log(LOG_WARNING, "Skinny Client sent invalid data.\n");
                        ast_mutex_unlock(&s->lock);
                        return -1;