[asterisk-commits] mjordan: branch certified-1.8.15 r378290 - in /certified/branches/1.8.15: ./ ...

[SVN commits to the Asterisk project]

Author: mjordan
Date: Wed Jan  2 10:00:06 2013
New Revision: 378290

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=378290
Log:
Resolve crashes due to large stack allocations when using TCP

Asterisk had several places where messages received over various network
transports may be copied in a single stack allocation. In the case of TCP,
since multiple packets in a stream may be concatenated together, this can
lead to large allocations that overflow the stack.

This patch modifies those portions of Asterisk using TCP to either
favor heap allocations or use an upper bound to ensure that the stack will not
overflow:
 * For HTTP, the allocation is now a heap allocation instead of a stack
   allocation
 * For XMPP (in res_jabber), the allocation has been eliminated since it was
   unnecesary.

Note that the HTTP portion of this issue was independently found by Brandon
Edwards of Exodus Intelligence.

(issue ASTERISK-20658)
Reported by: wdoekes, Brandon Edwards
Tested by: mmichelson, wdoekes
patches:
  ASTERISK-20658_res_jabber.c.patch uploaded by mmichelson (license 5049)
  issueA20658_http_postvars_use_malloc2.patch uploaded by wdoekes (license 5674)
........

Merged revisions 378269 from http://svn.asterisk.org/svn/asterisk/branches/1.8

Modified:
    certified/branches/1.8.15/   (props changed)
    certified/branches/1.8.15/main/http.c
    certified/branches/1.8.15/res/res_jabber.c

Propchange: certified/branches/1.8.15/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.

Modified: certified/branches/1.8.15/main/http.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.15/main/http.c?view=diff&rev=378290&r1=378289&r2=378290
==============================================================================
--- certified/branches/1.8.15/main/http.c (original)
+++ certified/branches/1.8.15/main/http.c Wed Jan  2 10:00:06 2013
@@ -622,6 +622,7 @@
 	int content_length = 0;
 	struct ast_variable *v, *post_vars=NULL, *prev = NULL;
 	char *buf, *var, *val;
+	int res;
 
 	for (v = headers; v; v = v->next) {
 		if (!strcasecmp(v->name, "Content-Type")) {
@@ -634,21 +635,27 @@
 
 	for (v = headers; v; v = v->next) {
 		if (!strcasecmp(v->name, "Content-Length")) {
-			content_length = atoi(v->value) + 1;
+			content_length = atoi(v->value);
 			break;
 		}
 	}
 
-	if (!content_length) {
+	if (content_length <= 0) {
 		return NULL;
 	}
 
-	if (!(buf = alloca(content_length))) {
+	buf = ast_malloc(content_length + 1);
+	if (!buf) {
 		return NULL;
 	}
-	if (!fgets(buf, content_length, ser->f)) {
-		return NULL;
-	}
+
+	res = fread(buf, 1, content_length, ser->f);
+	if (res < content_length) {
+		/* Error, distinguishable by ferror() or feof(), but neither
+		 * is good. */
+		goto done;
+	}
+	buf[content_length] = '\0';
 
 	while ((val = strsep(&buf, "&"))) {
 		var = strsep(&val, "=");
@@ -667,6 +674,9 @@
 			prev = v;
 		}
 	}
+	
+done:
+	ast_free(buf);
 	return post_vars;
 }
 

Modified: certified/branches/1.8.15/res/res_jabber.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.15/res/res_jabber.c?view=diff&rev=378290&r1=378289&r2=378290
==============================================================================
--- certified/branches/1.8.15/res/res_jabber.c (original)
+++ certified/branches/1.8.15/res/res_jabber.c Wed Jan  2 10:00:06 2013
@@ -777,7 +777,7 @@
  */
 static int acf_jabberreceive_read(struct ast_channel *chan, const char *name, char *data, char *buf, size_t buflen)
 {
-	char *aux = NULL, *parse = NULL;
+	char *parse = NULL;
 	int timeout;
 	int jidlen, resourcelen;
 	struct timeval start;
@@ -894,7 +894,7 @@
 				continue;
 			}
 			found = 1;
-			aux = ast_strdupa(tmp->message);
+			ast_copy_string(buf, tmp->message, buflen);
 			AST_LIST_REMOVE_CURRENT(list);
 			aji_message_destroy(tmp);
 			break;
@@ -919,7 +919,6 @@
 		ast_log(LOG_NOTICE, "Timed out : no message received from %s\n", args.jid);
 		return -1;
 	}
-	ast_copy_string(buf, aux, buflen);
 
 	return 0;
 }