Commit ce9765032f for asterisk.org

commit ce9765032fe10a3b0d084604a8f4d87966411313
Author: Naveen Albert <asterisk@phreaknet.org>
Date:   Sat Apr 11 12:57:18 2026 -0400

    chan_iax2: Add another check to abort frame handling if datalen < 0.

    Commit 2da221e217cbff957af928e8df43ee25583232d1 added a missing abort
    if datalen < 0 check on a code path and an assertion inside
    iax_frame_wrap if we ever encountered a frame with a negative frame
    length (which will eventually cause a crash).

    Add another missing abort check for negative datalen, exposed by this
    assertion. (Similar to the previous commit, this is a video frame with
    a datalen of -1).

    Resolves: #1865

diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index c9aab2d20e..fabab6cb79 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -12157,6 +12157,13 @@ immediatedial:
 	} else
 		f.samples = 0;

+	if (f.datalen < 0) {
+		ast_log(LOG_ERROR, "Dropping malformed frame (datalen %d?)\n", f.datalen);
+		ast_variables_destroy(ies.vars);
+		ast_mutex_unlock(&iaxsl[fr->callno]);
+		return 1;
+	}
+
 	iax_frame_wrap(fr, &f);

 	/* If this is our most recent packet, use it as our basis for timestamping */