[thirdparty-commits] rmudgett: mISDNuser/trunk r196 - /mISDNuser/trunk/lib/device.c

SVN commits to the Digium third-party software repository thirdparty-commits at lists.digium.com
Fri Sep 21 11:08:53 CDT 2012


Author: rmudgett
Date: Fri Sep 21 11:08:49 2012
New Revision: 196

URL: http://svnview.digium.com/svn/thirdparty?view=rev&rev=196
Log:
Fix a couple valgrind found issues.

Valgrind found two things:
1) Use of memcpy() with overlapping memory blocks.

2) Use of a pointer at the end of an allocated buffer passed to read().

The second finding could potentially result in corrupted memory.  However,
I could not see why the pointer could be pointing to the end of the
buffer.  I made mISDN_read_frame() reset the irp and iend pointer to the
inbuf.  I also saw that the remaining buffer length available calculation
for the read() was incorrect in the mISDN_read_frame() and mISDN_read()
routines.

Patches:
      jira_abe_2878_misdnuser_valgrind_findings.patch (license #5621) patch uploaded by rmudgett

JIRA ABE-2878

Modified:
    mISDNuser/trunk/lib/device.c

Modified: mISDNuser/trunk/lib/device.c
URL: http://svnview.digium.com/svn/thirdparty/mISDNuser/trunk/lib/device.c?view=diff&rev=196&r1=195&r2=196
==============================================================================
--- mISDNuser/trunk/lib/device.c (original)
+++ mISDNuser/trunk/lib/device.c Fri Sep 21 11:08:49 2012
@@ -165,7 +165,7 @@
 	if (ep >= dev->iend)
 		dev->iend = (u_char *)frm;
 	else {
-		memcpy(frm, ep, dev->iend - ep);
+		memmove(frm, ep, dev->iend - ep);
 		dev->iend -= len; 
 	}
 	
@@ -274,7 +274,7 @@
 			} else
 #endif
 				pthread_mutex_lock(&dev->rmutex);
-			len = dev->isize  - (dev->iend - dev->irp);
+			len = dev->isize  - (dev->iend - dev->inbuf);
 			if (len<=0) {
 				errno = ENOSPC;
 				ret = -1;
@@ -440,7 +440,11 @@
 				goto out;
 			}
 			if (FD_ISSET(fid, &in)) {
-				len = dev->isize - (dev->iend - dev->irp);
+				if (dev->iend == dev->irp) {
+					dev->irp = dev->inbuf;
+					dev->iend = dev->inbuf;
+				}
+				len = dev->isize - (dev->iend - dev->inbuf);
 				if (len<=0) {
 					errno = ENOSPC;
 					ret = -1;




More information about the thirdparty-commits mailing list