[asterisk-commits] twilson: branch 1.6.0 r168595 - in /branches/1.6.0: ./ apps/app_page.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Tue Jan 13 20:06:19 CST 2009
Author: twilson
Date: Tue Jan 13 20:06:19 2009
New Revision: 168595
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=168595
Log:
Merged revisions 168594 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r168594 | twilson | 2009-01-13 20:00:40 -0600 (Tue, 13 Jan 2009) | 27 lines
Merged revisions 168593 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r168593 | twilson | 2009-01-13 19:27:18 -0600 (Tue, 13 Jan 2009) | 20 lines
Don't overflow when paging more than 128 extensions
The number of available slots for calls in app_page was hardcoded to 128.
Proper bounds checking was not in place to enforce this limit, so if more than
128 extensions were passed to the Page() app, Asterisk would crash. This patch
instead dynamically allocates memory for the ast_dial structures and removes
the (non-functional) arbitrary limit.
This issue would have special importance to anyone who is dynamically creating
the argument passed to the Page application and allowing more than 128
extensions to be added by an outside user via some external interface.
The patch posted by a_villacis was slightly modified for some coding guidelines
and other cleanups. Thanks, a_villacis!
(closes issue #14217)
Reported by: a_villacis
Patches:
20080912-asterisk-app_page-fix-buffer-overflow.patch uploaded by a (license 660)
Tested by: otherwiseguy
........
................
Modified:
branches/1.6.0/ (props changed)
branches/1.6.0/apps/app_page.c
Propchange: branches/1.6.0/
------------------------------------------------------------------------------
Binary property 'trunk-merged' - no diff available.
Modified: branches/1.6.0/apps/app_page.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.6.0/apps/app_page.c?view=diff&rev=168595&r1=168594&r2=168595
==============================================================================
--- branches/1.6.0/apps/app_page.c (original)
+++ branches/1.6.0/apps/app_page.c Tue Jan 13 20:06:19 2009
@@ -73,17 +73,17 @@
AST_APP_OPTION('s', PAGE_SKIP),
});
-#define MAX_DIALS 128
static int page_exec(struct ast_channel *chan, void *data)
{
- char *options, *tech, *resource, *tmp;
+ char *options, *tech, *resource, *tmp, *tmp2;
char meetmeopts[88], originator[AST_CHANNEL_NAME], *opts[0];
struct ast_flags flags = { 0 };
unsigned int confid = ast_random();
struct ast_app *app;
int res = 0, pos = 0, i = 0;
- struct ast_dial *dials[MAX_DIALS];
+ struct ast_dial **dial_list;
+ unsigned int num_dials;
if (ast_strlen_zero(data)) {
ast_log(LOG_WARNING, "This application requires at least one argument (destination(s) to page)\n");
@@ -107,6 +107,18 @@
snprintf(meetmeopts, sizeof(meetmeopts), "MeetMe,%ud,%s%sqxdw(5)", confid, (ast_test_flag(&flags, PAGE_DUPLEX) ? "" : "m"),
(ast_test_flag(&flags, PAGE_RECORD) ? "r" : "") );
+
+ /* Count number of extensions in list by number of ampersands + 1 */
+ num_dials = 1;
+ tmp2 = tmp;
+ while (*tmp2 && *tmp2++ == '&') {
+ num_dials++;
+ }
+
+ if (!(dial_list = ast_calloc(num_dials, sizeof(void *)))) {
+ ast_log(LOG_ERROR, "Can't allocate %ld bytes for dial list\n", (sizeof(void *) * num_dials));
+ return -1;
+ }
/* Go through parsing/calling each device */
while ((tech = strsep(&tmp, "&"))) {
@@ -152,7 +164,7 @@
ast_dial_run(dial, chan, 1);
/* Put in our dialing array */
- dials[pos++] = dial;
+ dial_list[pos++] = dial;
}
if (!ast_test_flag(&flags, PAGE_QUIET)) {
@@ -169,7 +181,7 @@
/* Go through each dial attempt cancelling, joining, and destroying */
for (i = 0; i < pos; i++) {
- struct ast_dial *dial = dials[i];
+ struct ast_dial *dial = dial_list[i];
/* We have to wait for the async thread to exit as it's possible Meetme won't throw them out immediately */
ast_dial_join(dial);
More information about the asterisk-commits
mailing list