<p>Kevin Harwell has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/10664">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">func_strings: negative array index can cause corruption on some architectures<br><br>When using the HASHKEYS function if there are no matching keys the code writes<br>a NULL value to a negative index on the given buffer.<br><br>This patch protects the write by first checking if the buffer's length is not<br>zero before writing. If so it skips the write.<br><br>ASTERISK-28159<br><br>Change-Id: I6e57fe7307dfd856271753aed5ba64c59b511487<br>---<br>M funcs/func_strings.c<br>1 file changed, 10 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/64/10664/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/funcs/func_strings.c b/funcs/func_strings.c</span><br><span>index eecbb58..72347ca 100644</span><br><span>--- a/funcs/func_strings.c</span><br><span>+++ b/funcs/func_strings.c</span><br><span>@@ -1095,6 +1095,7 @@</span><br><span> {</span><br><span> struct ast_var_t *newvar;</span><br><span> struct ast_str *prefix = ast_str_alloca(80);</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t buf_len;</span><br><span> </span><br><span> if (!chan) {</span><br><span> ast_log(LOG_WARNING, "No channel was provided to %s function.\n", cmd);</span><br><span>@@ -1113,7 +1114,10 @@</span><br><span> }</span><br><span> }</span><br><span> /* Trim the trailing comma */</span><br><span style="color: hsl(0, 100%, 40%);">- buf[strlen(buf) - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+ buf_len = strlen(buf);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (buf_len) {</span><br><span style="color: hsl(120, 100%, 40%);">+ buf[buf_len - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span>@@ -1122,6 +1126,7 @@</span><br><span> struct ast_var_t *newvar;</span><br><span> struct ast_str *prefix = ast_str_alloca(80);</span><br><span> char *tmp;</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t buf_len;</span><br><span> </span><br><span> if (!chan) {</span><br><span> ast_log(LOG_WARNING, "No channel was provided to %s function.\n", cmd);</span><br><span>@@ -1140,8 +1145,11 @@</span><br><span> }</span><br><span> }</span><br><span> /* Trim the trailing comma */</span><br><span style="color: hsl(120, 100%, 40%);">+ buf_len = ast_str_strlen(*buf);</span><br><span> tmp = ast_str_buffer(*buf);</span><br><span style="color: hsl(0, 100%, 40%);">- tmp[ast_str_strlen(*buf) - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+ if (buf_len) {</span><br><span style="color: hsl(120, 100%, 40%);">+ tmp[buf_len - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/10664">change 10664</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/10664"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I6e57fe7307dfd856271753aed5ba64c59b511487 </div>
<div style="display:none"> Gerrit-Change-Number: 10664 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Kevin Harwell <kharwell@digium.com> </div>