[svn-commits] twilson: branch 10 r345164 - in /branches/10: ./	main/channel.c
    SVN commits to the Digium repositories 
    svn-commits at lists.digium.com
       
    Mon Nov 14 13:10:19 CST 2011
    
    
  
Author: twilson
Date: Mon Nov 14 13:10:13 2011
New Revision: 345164
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=345164
Log:
Don't read past end of input when calling write()
int blah = 1;
...
write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) !=
(new_frames * sizeof(blah)))
is only valid when new_frames == 1. Otherwise we start reading into adjacent
variables declared on the stack. The read end discards what is read, so the
values don't matter but it's not a good idea to read past where we want even
though new_frames is almost always 1 and should never be large. This patch is
basically taken out of kpfleming's eventfd branch, as he mentioned that he
remembered fixing it there when I talked to him about this issue.
Review: https://reviewboard.asterisk.org/r/1583/
........
Merged revisions 345163 from http://svn.asterisk.org/svn/asterisk/branches/1.8
Modified:
    branches/10/   (props changed)
    branches/10/main/channel.c
Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.
Modified: branches/10/main/channel.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/main/channel.c?view=diff&rev=345164&r1=345163&r2=345164
==============================================================================
--- branches/10/main/channel.c (original)
+++ branches/10/main/channel.c Mon Nov 14 13:10:13 2011
@@ -1413,7 +1413,6 @@
 {
 	struct ast_frame *f;
 	struct ast_frame *cur;
-	int blah = 1;
 	unsigned int new_frames = 0;
 	unsigned int new_voice_frames = 0;
 	unsigned int queued_frames = 0;
@@ -1512,7 +1511,10 @@
 	}
 
 	if (chan->alertpipe[1] > -1) {
-		if (write(chan->alertpipe[1], &blah, new_frames * sizeof(blah)) != (new_frames * sizeof(blah))) {
+		int blah[new_frames];
+
+		memset(blah, 1, sizeof(blah));
+		if (write(chan->alertpipe[1], &blah, sizeof(blah)) != (sizeof(blah))) {
 			ast_log(LOG_WARNING, "Unable to write to alert pipe on %s (qlen = %d): %s!\n",
 				chan->name, queued_frames, strerror(errno));
 		}
    
    
More information about the svn-commits
mailing list