[asterisk-commits] seanbright: branch 1.4 r236509 - /branches/1.4/apps/app_meetme.c

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Mon Dec 28 06:43:41 CST 2009


Author: seanbright
Date: Mon Dec 28 06:43:36 2009
New Revision: 236509

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=236509
Log:
Avoid a crash with large numbers of MeetMe conferences.

Similar to changes made to Queue(), when we have large numbers of conferences in
meetme.conf (1000s) and we use alloca()/strdupa(), we can blow out the stack and
crash, so instead just use a single fixed buffer.

(closes issue #16509)
Reported by: Kashif Raza
Patches:
      20091223_16509.patch uploaded by seanbright (license 71)
Tested by: seanbright

Modified:
    branches/1.4/apps/app_meetme.c

Modified: branches/1.4/apps/app_meetme.c
URL: http://svnview.digium.com/svn/asterisk/branches/1.4/apps/app_meetme.c?view=diff&rev=236509&r1=236508&r2=236509
==============================================================================
--- branches/1.4/apps/app_meetme.c (original)
+++ branches/1.4/apps/app_meetme.c Mon Dec 28 06:43:36 2009
@@ -318,6 +318,9 @@
 
 #define MAX_CONFNUM 80
 #define MAX_PIN     80
+
+/* Enough space for "<conference #>,<pin>,<admin pin>" followed by a 0 byte. */
+#define MAX_SETTINGS (MAX_CONFNUM + MAX_PIN + MAX_PIN + 3)
 
 enum announcetypes {
 	CONF_HASJOIN,
@@ -2563,7 +2566,6 @@
 	struct ast_config *cfg;
 	struct ast_variable *var;
 	struct ast_conference *cnf;
-	char *parse;
 	AST_DECLARE_APP_ARGS(args,
 		AST_APP_ARG(confno);
 		AST_APP_ARG(pin);
@@ -2602,13 +2604,15 @@
 				ast_log(LOG_WARNING, "No %s file :(\n", CONFIG_FILE_NAME);
 				return NULL;
 			}
+
 			for (var = ast_variable_browse(cfg, "rooms"); var; var = var->next) {
+				char parse[MAX_SETTINGS];
+
 				if (strcasecmp(var->name, "conf"))
 					continue;
-				
-				if (!(parse = ast_strdupa(var->value)))
-					return NULL;
-				
+
+				ast_copy_string(parse, var->value, sizeof(parse));
+
 				AST_NONSTANDARD_APP_ARGS(args, parse, ',');
 				if (!strcasecmp(args.confno, confno)) {
 					/* Bingo it's a valid conference */
@@ -2774,33 +2778,32 @@
 				if (cfg) {
 					var = ast_variable_browse(cfg, "rooms");
 					while (var) {
+						char parse[MAX_SETTINGS], *stringp = parse, *confno_tmp;
 						if (!strcasecmp(var->name, "conf")) {
-							char *stringp = ast_strdupa(var->value);
-							if (stringp) {
-								char *confno_tmp = strsep(&stringp, "|,");
-								int found = 0;
-								if (!dynamic) {
-									/* For static:  run through the list and see if this conference is empty */
-									AST_LIST_LOCK(&confs);
-									AST_LIST_TRAVERSE(&confs, cnf, list) {
-										if (!strcmp(confno_tmp, cnf->confno)) {
-											/* The conference exists, therefore it's not empty */
-											found = 1;
-											break;
-										}
+							int found = 0;
+							ast_copy_string(parse, var->value, sizeof(parse));
+							confno_tmp = strsep(&stringp, "|,");
+							if (!dynamic) {
+								/* For static:  run through the list and see if this conference is empty */
+								AST_LIST_LOCK(&confs);
+								AST_LIST_TRAVERSE(&confs, cnf, list) {
+									if (!strcmp(confno_tmp, cnf->confno)) {
+										/* The conference exists, therefore it's not empty */
+										found = 1;
+										break;
 									}
-									AST_LIST_UNLOCK(&confs);
-									if (!found) {
-										/* At this point, we have a confno_tmp (static conference) that is empty */
-										if ((empty_no_pin && ast_strlen_zero(stringp)) || (!empty_no_pin)) {
-											/* Case 1:  empty_no_pin and pin is nonexistent (NULL)
-											 * Case 2:  empty_no_pin and pin is blank (but not NULL)
-											 * Case 3:  not empty_no_pin
-											 */
-											ast_copy_string(confno, confno_tmp, sizeof(confno));
-											break;
-											/* XXX the map is not complete (but we do have a confno) */
-										}
+								}
+								AST_LIST_UNLOCK(&confs);
+								if (!found) {
+									/* At this point, we have a confno_tmp (static conference) that is empty */
+									if ((empty_no_pin && ast_strlen_zero(stringp)) || (!empty_no_pin)) {
+										/* Case 1:  empty_no_pin and pin is nonexistent (NULL)
+										 * Case 2:  empty_no_pin and pin is blank (but not NULL)
+										 * Case 3:  not empty_no_pin
+										 */
+										ast_copy_string(confno, confno_tmp, sizeof(confno));
+										break;
+										/* XXX the map is not complete (but we do have a confno) */
 									}
 								}
 							}




More information about the asterisk-commits mailing list