AST-2016-003 udptl.c: Fix uninitialized values.
authorRichard Mudgett <rmudgett@digium.com>
Mon, 7 Dec 2015 18:46:53 +0000 (12:46 -0600)
committerRichard Mudgett <rmudgett@digium.com>
Wed, 3 Feb 2016 21:07:04 +0000 (15:07 -0600)
Sending UDPTL packets to Asterisk with the right amount of missing
sequence numbers and enough redundant 0-length IFP packets, can make
Asterisk crash.

ASTERISK-25603 #close
Reported by: Walter Doekes

ASTERISK-25742 #close
Reported by: Torrey Searle

Change-Id: I97df8375041be986f3f266ac1946a538023a5255

main/udptl.c

index c059ad3..a0f533f 100644 (file)
@@ -305,16 +305,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
        if (decode_length(buf, limit, len, &octet_cnt) != 0)
                return -1;
 
-       if (octet_cnt > 0) {
-               /* Make sure the buffer contains at least the number of bits requested */
-               if ((*len + octet_cnt) > limit)
-                       return -1;
-
-               *p_num_octets = octet_cnt;
-               *p_object = &buf[*len];
-               *len += octet_cnt;
+       /* Make sure the buffer contains at least the number of bits requested */
+       if ((*len + octet_cnt) > limit) {
+               return -1;
        }
 
+       *p_num_octets = octet_cnt;
+       *p_object = &buf[*len];
+       *len += octet_cnt;
+
        return 0;
 }
 /*- End of function --------------------------------------------------------*/