From ba46c5ca035e39ed97a7b82fc5251153d8535ea7 Mon Sep 17 00:00:00 2001
From: Matthew Fredrickson <creslin@digium.com>
Date: Fri, 11 Jan 2008 16:34:44 +0000
Subject: [PATCH] Merged revisions 513 via svnmerge from
 https://origsvn.digium.com/svn/libpri/branches/1.2

........
r513 | mattf | 2008-01-11 10:33:52 -0600 (Fri, 11 Jan 2008) | 1 line

We should not be parsing further into the bearer capability IE if the length does not confirm that there actually is data present
........


git-svn-id: https://origsvn.digium.com/svn/libpri/branches/1.4@514 2fbb986a-6c06-0410-b554-c9c1f0a7f128
---
 q931.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/q931.c b/q931.c
index cf9da47..bc770b7 100644
--- a/q931.c
+++ b/q931.c
@@ -591,8 +591,9 @@ static FUNC_DUMP(dump_bearer_capability)
 		pos++;
 	}
 	/* Stop here if no more */
-	if (pos >= len)
+	if (pos >= len - 2)
 		return;
+
 	if ((ie->data[1] & 0x7f) != TRANS_MODE_PACKET) {
 		/* Look for octets 5 and 5.a if present */
 		pri_message(pri, "%c                              Ext: %d  User information layer 1: %s (%d)\n", prefix, (ie->data[pos] >> 7), l12str(ie->data[pos] & 0x7f), ie->data[pos] & 0x7f);
@@ -619,6 +620,10 @@ static FUNC_RECV(receive_bearer_capability)
 	call->transmoderate = ie->data[1] & 0x7f;
 	if (call->transmoderate == PRI_TRANS_CAP_AUDIO_4ESS)
 		call->transmoderate = PRI_TRANS_CAP_3_1K_AUDIO;
+
+	if (pos >= len - 2)
+		return 0;
+
 	if (call->transmoderate != TRANS_MODE_PACKET) {
 		call->userl1 = ie->data[pos] & 0x7f;
 		if (call->userl1 == PRI_LAYER_1_ITU_RATE_ADAPT) {