<p>Jenkins2 <strong>merged</strong> this change.</p><p><a href="https://gerrit.asterisk.org/10664">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Corey Farrell: Looks good to me, but someone else must approve
Joshua Colp: Looks good to me, approved
Jenkins2: Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">func_strings: HASHKEY - negative array index can cause corruption<br><br>This patch makes it so only matching non-empty key names, and keys created by<br>the HASH function are eligible for inclusion in the comma separated string. It<br>also fixes a bug where it was possible to write to a negative index if the<br>result buffer was empty.<br><br>ASTERISK-28159<br>patches:<br> ASTERISK-28159.diff submitted by Michael Walton (license 6502)<br><br>Change-Id: I6e57fe7307dfd856271753aed5ba64c59b511487<br>---<br>M funcs/func_strings.c<br>1 file changed, 41 insertions(+), 13 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/funcs/func_strings.c b/funcs/func_strings.c</span><br><span>index eecbb58..6af3aad 100644</span><br><span>--- a/funcs/func_strings.c</span><br><span>+++ b/funcs/func_strings.c</span><br><span>@@ -1091,10 +1091,33 @@</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static const char *get_key(const struct ast_str *prefix, const struct ast_var_t *var)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *prefix_name = ast_str_buffer(prefix);</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *var_name = ast_var_name(var);</span><br><span style="color: hsl(120, 100%, 40%);">+ int prefix_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ int var_len;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (ast_strlen_zero(var_name)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ prefix_len = ast_str_strlen(prefix);</span><br><span style="color: hsl(120, 100%, 40%);">+ var_len = strlen(var_name);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /*</span><br><span style="color: hsl(120, 100%, 40%);">+ * Make sure we only match on non-empty, hash function created keys. If valid</span><br><span style="color: hsl(120, 100%, 40%);">+ * then return a pointer to the variable that's just after the prefix.</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+ return var_len > (prefix_len + 1) && var_name[var_len - 1] == '~' &&</span><br><span style="color: hsl(120, 100%, 40%);">+ strncmp(prefix_name, var_name, prefix_len) == 0 ? var_name + prefix_len : NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int hashkeys_read(struct ast_channel *chan, const char *cmd, char *data, char *buf, size_t len)</span><br><span> {</span><br><span> struct ast_var_t *newvar;</span><br><span> struct ast_str *prefix = ast_str_alloca(80);</span><br><span style="color: hsl(120, 100%, 40%);">+ size_t buf_len;</span><br><span> </span><br><span> if (!chan) {</span><br><span> ast_log(LOG_WARNING, "No channel was provided to %s function.\n", cmd);</span><br><span>@@ -1105,15 +1128,19 @@</span><br><span> memset(buf, 0, len);</span><br><span> </span><br><span> AST_LIST_TRAVERSE(ast_channel_varshead(chan), newvar, entries) {</span><br><span style="color: hsl(0, 100%, 40%);">- if (strncmp(ast_str_buffer(prefix), ast_var_name(newvar), ast_str_strlen(prefix)) == 0) {</span><br><span style="color: hsl(0, 100%, 40%);">- /* Copy everything after the prefix */</span><br><span style="color: hsl(0, 100%, 40%);">- strncat(buf, ast_var_name(newvar) + ast_str_strlen(prefix), len - strlen(buf) - 1);</span><br><span style="color: hsl(0, 100%, 40%);">- /* Trim the trailing ~ */</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *key = get_key(prefix, newvar);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (key) {</span><br><span style="color: hsl(120, 100%, 40%);">+ strncat(buf, key, len - strlen(buf) - 1);</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Replace the trailing ~ */</span><br><span> buf[strlen(buf) - 1] = ',';</span><br><span> }</span><br><span> }</span><br><span> /* Trim the trailing comma */</span><br><span style="color: hsl(0, 100%, 40%);">- buf[strlen(buf) - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+ buf_len = strlen(buf);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (buf_len) {</span><br><span style="color: hsl(120, 100%, 40%);">+ buf[buf_len - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span>@@ -1121,7 +1148,6 @@</span><br><span> {</span><br><span> struct ast_var_t *newvar;</span><br><span> struct ast_str *prefix = ast_str_alloca(80);</span><br><span style="color: hsl(0, 100%, 40%);">- char *tmp;</span><br><span> </span><br><span> if (!chan) {</span><br><span> ast_log(LOG_WARNING, "No channel was provided to %s function.\n", cmd);</span><br><span>@@ -1131,17 +1157,19 @@</span><br><span> ast_str_set(&prefix, -1, HASH_PREFIX, data);</span><br><span> </span><br><span> AST_LIST_TRAVERSE(ast_channel_varshead(chan), newvar, entries) {</span><br><span style="color: hsl(0, 100%, 40%);">- if (strncmp(ast_str_buffer(prefix), ast_var_name(newvar), ast_str_strlen(prefix)) == 0) {</span><br><span style="color: hsl(0, 100%, 40%);">- /* Copy everything after the prefix */</span><br><span style="color: hsl(0, 100%, 40%);">- ast_str_append(buf, len, "%s", ast_var_name(newvar) + ast_str_strlen(prefix));</span><br><span style="color: hsl(0, 100%, 40%);">- /* Trim the trailing ~ */</span><br><span style="color: hsl(120, 100%, 40%);">+ const char *key = get_key(prefix, newvar);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (key) {</span><br><span style="color: hsl(120, 100%, 40%);">+ char *tmp;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_str_append(buf, len, "%s", key);</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Replace the trailing ~ */</span><br><span> tmp = ast_str_buffer(*buf);</span><br><span> tmp[ast_str_strlen(*buf) - 1] = ',';</span><br><span> }</span><br><span> }</span><br><span style="color: hsl(0, 100%, 40%);">- /* Trim the trailing comma */</span><br><span style="color: hsl(0, 100%, 40%);">- tmp = ast_str_buffer(*buf);</span><br><span style="color: hsl(0, 100%, 40%);">- tmp[ast_str_strlen(*buf) - 1] = '\0';</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ ast_str_truncate(*buf, -1);</span><br><span> return 0;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/10664">change 10664</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/10664"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 13 </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I6e57fe7307dfd856271753aed5ba64c59b511487 </div>
<div style="display:none"> Gerrit-Change-Number: 10664 </div>
<div style="display:none"> Gerrit-PatchSet: 3 </div>
<div style="display:none"> Gerrit-Owner: Kevin Harwell <kharwell@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Corey Farrell <git@cfware.com> </div>
<div style="display:none"> Gerrit-Reviewer: George Joseph <gjoseph@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins2 (1000185) </div>
<div style="display:none"> Gerrit-Reviewer: Joshua Colp <jcolp@digium.com> </div>