[asterisk-dev] [Code Review] Don't read past then end of our int when calling write() in __ast_queue_frame
Terry Wilson
reviewboard at asterisk.org
Fri Nov 11 22:25:01 CST 2011
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/1583/
-----------------------------------------------------------
Review request for Asterisk Developers.
Summary
-------
int blah = 1;
...
write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) != (new_frames * sizeof(blah)))
is only valid when new_frames == 1. Otherwise we start reading into adjacent variables declared on the stack. The read end discards what is read, so the values don't matter but it's not a good idea to read past where we want event though new_frames is almost always 1 and should never be large. This patch is basically taken out of kpfleming's eventfd branch, as he mentioned that he remembered fixing it there when I talked to him about this issue.
Another thing that could be done is to change blah to a char[] here and where we read from the alertpipe. There is no reason to write four bytes when we could just write one, but I can address that in a later patch.
Diffs
-----
/branches/1.8/main/channel.c 344438
Diff: https://reviewboard.asterisk.org/r/1583/diff
Testing
-------
It compiles. Calls still seem to work.
Thanks,
Terry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20111112/be6ac023/attachment.htm>
More information about the asterisk-dev
mailing list