Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2013-006 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Subject: app_sms: BufferOverflow when receiving odd length 16 bit message
From: Scott Griepentrog <sgriepentrog@digium.com>
Date: Mon, 16 Dec 2013 15:18:56 +0000
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=403853
Bug: https://issues.asterisk.org/jira/browse/ASTERISK-22590

This patch prevents an infinite loop overwriting memory when
a message is received into the unpacksms16() function, where
the length of the message is an odd number of bytes.

---
 apps/app_sms.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/apps/app_sms.c
+++ b/apps/app_sms.c
@@ -692,7 +692,7 @@ static void unpacksms16(unsigned char *i
 	}
 	while (l--) {
 		int v = *i++;
-		if (l--) {
+		if (l && l--) {
 			v = (v << 8) + *i++;
 		}
 		*o++ = v;
@@ -710,6 +710,7 @@ static int unpacksms(unsigned char dcs,
 	} else if (is8bit(dcs)) {
 		unpacksms8(i, l, udh, udhl, ud, udl, udhi);
 	} else {
+		l += l % 2;
 		unpacksms16(i, l, udh, udhl, ud, udl, udhi);
 	}
 	return l + 1;