[asterisk-commits] russell: branch 1.2 r75444 - /branches/1.2/channels/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Tue Jul 17 15:45:28 CDT 2007 

Author: russell
Date: Tue Jul 17 15:45:27 2007
New Revision: 75444

URL: http://svn.digium.com/view/asterisk?view=rev&rev=75444
Log:
Ensure that when encoding the contents of an ast_frame into an iax_frame, that
the size of the destination buffer is known in the iax_frame so that code
won't write past the end of the allocated buffer when sending outgoing frames.
(ASA-2007-014)

Modified:
    branches/1.2/channels/chan_iax2.c
    branches/1.2/channels/iax2-parser.c
    branches/1.2/channels/iax2-parser.h

Modified: branches/1.2/channels/chan_iax2.c
URL: http://svn.digium.com/view/asterisk/branches/1.2/channels/chan_iax2.c?view=diff&rev=75444&r1=75443&r2=75444
==============================================================================
--- branches/1.2/channels/chan_iax2.c (original)
+++ branches/1.2/channels/chan_iax2.c Tue Jul 17 15:45:27 2007
@@ -4020,7 +4020,9 @@
 	int sendmini=0;
 	unsigned int lastsent;
 	unsigned int fts;
-		
+
+	frb.fr2.afdatalen = sizeof(frb.buffer);
+
 	if (!pvt) {
 		ast_log(LOG_WARNING, "No private structure for packet?\n");
 		return -1;
@@ -6435,7 +6437,8 @@
 	/* allocate an iax_frame with 4096 bytes of data buffer */
 	fr = alloca(sizeof(*fr) + 4096);
 	fr->callno = 0;
-	
+	fr->afdatalen = 4096; /* From alloca() above */
+
 	res = recvfrom(fd, buf, sizeof(buf), 0,(struct sockaddr *) &sin, &len);
 	if (res < 0) {
 		if (errno != ECONNREFUSED)

Modified: branches/1.2/channels/iax2-parser.c
URL: http://svn.digium.com/view/asterisk/branches/1.2/channels/iax2-parser.c?view=diff&rev=75444&r1=75443&r2=75444
==============================================================================
--- branches/1.2/channels/iax2-parser.c (original)
+++ branches/1.2/channels/iax2-parser.c Tue Jul 17 15:45:27 2007
@@ -904,13 +904,20 @@
 	fr->af.delivery.tv_usec = 0;
 	fr->af.data = fr->afdata;
 	if (fr->af.datalen) {
+		size_t copy_len = fr->af.datalen;
+		if (copy_len > fr->afdatalen) {
+			ast_log(LOG_ERROR, "Losing frame data because destination buffer size '%d' bytes not big enough for '%d' bytes in the frame\n",
+				(int) fr->afdatalen, (int) fr->af.datalen);
+			copy_len = fr->afdatalen;
+		}
 #if __BYTE_ORDER == __LITTLE_ENDIAN
 		/* We need to byte-swap slinear samples from network byte order */
 		if ((fr->af.frametype == AST_FRAME_VOICE) && (fr->af.subclass == AST_FORMAT_SLINEAR)) {
-			ast_swapcopy_samples(fr->af.data, f->data, fr->af.samples);
+			/* 2 bytes / sample for SLINEAR */
+			ast_swapcopy_samples(fr->af.data, f->data, copy_len / 2);
 		} else
 #endif
-		memcpy(fr->af.data, f->data, fr->af.datalen);
+			memcpy(fr->af.data, f->data, copy_len);
 	}
 }
 
@@ -919,6 +926,7 @@
 	struct iax_frame *fr;
 	fr = malloc((int)sizeof(struct iax_frame) + datalen);
 	if (fr) {
+		fr->afdatalen = datalen;
 		fr->direction = direction;
 		fr->retrans = -1;
 		frames++;

Modified: branches/1.2/channels/iax2-parser.h
URL: http://svn.digium.com/view/asterisk/branches/1.2/channels/iax2-parser.h?view=diff&rev=75444&r1=75443&r2=75444
==============================================================================
--- branches/1.2/channels/iax2-parser.h (original)
+++ branches/1.2/channels/iax2-parser.h Tue Jul 17 15:45:27 2007
@@ -119,6 +119,8 @@
 	struct iax_frame *prev;
 	/* Actual, isolated frame header */
 	struct ast_frame af;
+	/* Amount of data _allocated_ for afdata */
+	size_t afdatalen;
 	unsigned char unused[AST_FRIENDLY_OFFSET];
 	unsigned char afdata[0];	/* Data for frame */
 };

More information about the asterisk-commits mailing list