Perform proper heap bounds checking on skinny messages (bug #1726)
authorMark Spencer <markster@digium.com>
Wed, 26 May 2004 23:15:23 +0000 (23:15 +0000)
committerMark Spencer <markster@digium.com>
Wed, 26 May 2004 23:15:23 +0000 (23:15 +0000)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@3085 65c4cc65-6c06-0410-ace0-fbb531ad65f3

channels/chan_skinny.c

index fa0fb80..ec15a2c 100755 (executable)
@@ -2261,6 +2261,8 @@ static int get_input(struct skinnysession *s)
                        return -1;
                }
                dlen = *(int *)s->inbuf;
+               if (dlen+8 > sizeof(s->inbuf))
+                       dlen = sizeof(s->inbuf) - 8;
                res = read(s->fd, s->inbuf+4, dlen+4);
                ast_mutex_unlock(&s->lock);
                if (res != (dlen+4)) {