[Pkg-voip-commits] [asterisk] 07/10: AST-2016-003: Fix crash in UDPTL (CVE-2016-2232)

[Bernhard Schmidt]

This is an automated email from the git hooks/post-receive script.

berni pushed a commit to branch jessie
in repository asterisk.

commit 1e65a716500804303c118c0036081893730c3f88
Author: Bernhard Schmidt <berni at debian.org>
Date:   Sun Oct 9 19:32:44 2016 +0200

    AST-2016-003: Fix crash in UDPTL (CVE-2016-2232)
---
 debian/patches/AST-2016-003-11.diff | 28 ++++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 2 files changed, 29 insertions(+)

diff --git a/debian/patches/AST-2016-003-11.diff b/debian/patches/AST-2016-003-11.diff
new file mode 100644
index 0000000..e0c16d4
--- /dev/null
+++ b/debian/patches/AST-2016-003-11.diff
@@ -0,0 +1,28 @@
+diff --git a/main/udptl.c b/main/udptl.c
+index 76fc2fb..d308bff 100644
+--- a/main/udptl.c
++++ b/main/udptl.c
+@@ -263,16 +263,15 @@ static int decode_open_type(uint8_t *buf, unsigned int limit, unsigned int *len,
+ 	if (decode_length(buf, limit, len, &octet_cnt) != 0)
+ 		return -1;
+ 
+-	if (octet_cnt > 0) {
+-		/* Make sure the buffer contains at least the number of bits requested */
+-		if ((*len + octet_cnt) > limit)
+-			return -1;
+-
+-		*p_num_octets = octet_cnt;
+-		*p_object = &buf[*len];
+-		*len += octet_cnt;
++	/* Make sure the buffer contains at least the number of bits requested */
++	if ((*len + octet_cnt) > limit) {
++		return -1;
+ 	}
+ 
++	*p_num_octets = octet_cnt;
++	*p_object = &buf[*len];
++	*len += octet_cnt;
++
+ 	return 0;
+ }
+ /*- End of function --------------------------------------------------------*/
diff --git a/debian/patches/series b/debian/patches/series
index 4bb9802..ca582c3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,4 +40,5 @@ AST-2014-017.patch
 AST-2014-018.patch
 AST-2014-019.patch
 AST-2015-003-11.diff
+AST-2016-003-11.diff
 AST-2016-007.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/asterisk.git