Merged revisions 513 via svnmerge from

https://origsvn.digium.com/svn/libpri/branches/1.2 ........ r513 | mattf | 2008-01-11 10:33:52 -0600 (Fri, 11 Jan 2008) | 1 line We should not be parsing further into the bearer capability IE if the length does not confirm that there actually is data present ........ git-svn-id: https://origsvn.digium.com/svn/libpri/branches/1.4@514 2fbb986a-6c06-0410-b554-c9c1f0a7f128
2008-01-11 16:34:44 +00:00 · 2008-01-11 16:34:44 +00:00 · ba46c5ca03
commit ba46c5ca03
parent 33a28eeda1
1 changed files with 6 additions and 1 deletions
--- a/q931.c
+++ b/q931.c
@ -591,8 +591,9 @@ static FUNC_DUMP(dump_bearer_capability)
 		pos++;
 	}
 	/* Stop here if no more */
-	if (pos >= len)
+	if (pos >= len - 2)
 		return;
+
 	if ((ie->data[1] & 0x7f) != TRANS_MODE_PACKET) {
 		/* Look for octets 5 and 5.a if present */
 		pri_message(pri, "%c                              Ext: %d  User information layer 1: %s (%d)\n", prefix, (ie->data[pos] >> 7), l12str(ie->data[pos] & 0x7f), ie->data[pos] & 0x7f);
@ -619,6 +620,10 @@ static FUNC_RECV(receive_bearer_capability)
 	call->transmoderate = ie->data[1] & 0x7f;
 	if (call->transmoderate == PRI_TRANS_CAP_AUDIO_4ESS)
 		call->transmoderate = PRI_TRANS_CAP_3_1K_AUDIO;
+
+	if (pos >= len - 2)
+		return 0;
+
 	if (call->transmoderate != TRANS_MODE_PACKET) {
 		call->userl1 = ie->data[pos] & 0x7f;
 		if (call->userl1 == PRI_LAYER_1_ITU_RATE_ADAPT) {