[asterisk-dev] Is this a bug in frame.c?
Slav Klenov
slav at securax.org
Thu Jun 8 09:14:19 MST 2006
A recent bugfix in the ast_frisolate() function addresses a memory
corruption issue when the frame header is mallocd, but the frame data
isn't. The bugfix is currently present in both 1.2 branch and trunk.
In asterisk 1.2.9.1:
if (!(fr->mallocd & AST_MALLOCD_DATA)) {
newdata = malloc(fr->datalen + AST_FRIENDLY_OFFSET);
if (!newdata) {
free(out);
ast_log(LOG_WARNING, "Out of memory\n");
return NULL;
}
newdata += AST_FRIENDLY_OFFSET;
...
In trunk:
if (!(fr->mallocd & AST_MALLOCD_DATA)) {
if (!(newdata = ast_malloc(fr->datalen + AST_FRIENDLY_OFFSET))) {
free(out);
return NULL;
}
newdata += AST_FRIENDLY_OFFSET;
...
I think theres still a problem when the frame header isn't allocated and
the data allocation fails. Shouldn't we have:
if (!(fr->mallocd & AST_MALLOCD_DATA)) {
if (!(newdata = ast_malloc(fr->datalen + AST_FRIENDLY_OFFSET))) {
if(out != fr)
free(out);
return NULL;
}
newdata += AST_FRIENDLY_OFFSET;
...
instead?
Slav
More information about the asterisk-dev
mailing list