[Asterisk-code-review] func strings: negative array index can cause corruption on s... (asterisk[13])
Kevin Harwell
asteriskteam at digium.com
Fri Nov 16 14:54:03 CST 2018
Kevin Harwell has uploaded this change for review. ( https://gerrit.asterisk.org/10664
Change subject: func_strings: negative array index can cause corruption on some architectures
......................................................................
func_strings: negative array index can cause corruption on some architectures
When using the HASHKEYS function if there are no matching keys the code writes
a NULL value to a negative index on the given buffer.
This patch protects the write by first checking if the buffer's length is not
zero before writing. If so it skips the write.
ASTERISK-28159
Change-Id: I6e57fe7307dfd856271753aed5ba64c59b511487
---
M funcs/func_strings.c
1 file changed, 10 insertions(+), 2 deletions(-)
git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/64/10664/1
diff --git a/funcs/func_strings.c b/funcs/func_strings.c
index eecbb58..72347ca 100644
--- a/funcs/func_strings.c
+++ b/funcs/func_strings.c
@@ -1095,6 +1095,7 @@
{
struct ast_var_t *newvar;
struct ast_str *prefix = ast_str_alloca(80);
+ size_t buf_len;
if (!chan) {
ast_log(LOG_WARNING, "No channel was provided to %s function.\n", cmd);
@@ -1113,7 +1114,10 @@
}
}
/* Trim the trailing comma */
- buf[strlen(buf) - 1] = '\0';
+ buf_len = strlen(buf);
+ if (buf_len) {
+ buf[buf_len - 1] = '\0';
+ }
return 0;
}
@@ -1122,6 +1126,7 @@
struct ast_var_t *newvar;
struct ast_str *prefix = ast_str_alloca(80);
char *tmp;
+ size_t buf_len;
if (!chan) {
ast_log(LOG_WARNING, "No channel was provided to %s function.\n", cmd);
@@ -1140,8 +1145,11 @@
}
}
/* Trim the trailing comma */
+ buf_len = ast_str_strlen(*buf);
tmp = ast_str_buffer(*buf);
- tmp[ast_str_strlen(*buf) - 1] = '\0';
+ if (buf_len) {
+ tmp[buf_len - 1] = '\0';
+ }
return 0;
}
--
To view, visit https://gerrit.asterisk.org/10664
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-MessageType: newchange
Gerrit-Change-Id: I6e57fe7307dfd856271753aed5ba64c59b511487
Gerrit-Change-Number: 10664
Gerrit-PatchSet: 1
Gerrit-Owner: Kevin Harwell <kharwell at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20181116/f9738570/attachment.html>
More information about the asterisk-code-review
mailing list