Merged revisions 48870 via svnmerge from

https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r48870 | qwell | 2006-12-22 14:43:05 -0600 (Fri, 22 Dec 2006) | 2 lines

Fix for issue 7774 - patch by alamantia

........

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@48871 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/channels/chan_skinny.c b/channels/chan_skinny.c
index e01590a..6c1cd19 100644 (file)
--- a/channels/chan_skinny.c
+++ b/channels/chan_skinny.c
@@ -1388,14 +1388,17 @@ static int transmit_response(struct skinnysession *s, struct skinny_req *req)
        int res = 0;
        ast_mutex_lock(&s->lock);
 
-#if 0
        if (skinnydebug)
-               ast_verbose("writing packet type %04X (%d bytes) to socket %d\n", letohl(req->e), letohl(req->len)+8, s->fd);
-#endif
+               ast_log(LOG_VERBOSE, "writing packet type %04X (%d bytes) to socket %d\n", letohl(req->e), letohl(req->len)+8, s->fd);
+
+       if (letohl(req->len > SKINNY_MAX_PACKET) || letohl(req->len < 0) {
+               ast_log(LOG_WARNING, "transmit_response: the length of the request is out of bounds\n");
+               return -1;
+       }
 
        memset(s->outbuf,0,sizeof(s->outbuf));
        memcpy(s->outbuf, req, skinny_header_size);
-       memcpy(s->outbuf+skinny_header_size, &req->data, sizeof(union skinny_data));
+       memcpy(s->outbuf+skinny_header_size, &req->data, letohl(req->len));
 
        res = write(s->fd, s->outbuf, letohl(req->len)+8);